On Mon, 2017-08-07 at 08:36 -0400, Stephen Smalley wrote: > On Sat, 2017-08-05 at 14:29 -0700, John Locke wrote: > > On Wed, Aug 2, 2017 at 11:43 AM, Stephen Smalley <[email protected] > > > > > wrote: > > > On Wed, 2017-08-02 at 09:14 -0700, John Locke wrote: > > > > My understanding was that since domain is an attribute if I > > > > create a > > > > new domain of type "domain" I should get the same permissions > > > > as > > > > defined in domain.te. One of the allow rules in domain.te is to > > > > allow > > > > writing to logd but I find that unless I duplicate the same > > > > rule > > > > in > > > > my > > > > own te file I get an violation reported about this. Am I > > > > missing > > > > something here? > > > > > > If you mean that you defined a new type and assigned it the > > > domain > > > attribute, ala: > > > type my_type, domain; > > > then yes, it should inherit the allow rules defined on the domain > > > attribute automatically. > > > > > > You'd need to provide more specifics to diagnose if you aren't > > > seeing > > > that behavior, e.g. your actual .te file or relevant snippets, > > > and > > > the > > > rule you think ought to be inherited from domain.te. > > > > > > Are you using AOSP master or a particular release/branch? > > > > > > > I'm using the nougat-mr2.3-release branch. The rule I'm expecting > > to > > be inherited from domain.te is the one here that I've also pasted > > below: https://android.googlesource.com/platform/system/sepolicy/+/ > > no > > ugat-mr2.3-release/domain.te#96 > > : > > > > # logd access > > write_logd(domain) > > > > Here's the snippet from my_domain.te: > > > > type my_domain, domain; > > type my_domain_exec, exec_type, file_type; > > > > init_daemon_domain(my_domain) > > > > I have an application started by init and it writes to logd and I > > get > > a violation reported saying it doesn't have permission to write to > > logd. If I duplicate that line from domain.te in my_domain.te as > > below > > then the violation goes away: > > > > write_logd(my_domain) > > > > I didn't expect to have to have this redundant rule. > > Your expectation is correct; the redundant rule should not be > necessary, so this either implies user error or a bug in the build > process or policy compiler toolchain. Can you provide more details, > e.g.: > > - The actual avc: denied message from logcat or dmesg output, > > - If you run sesearch on the policy you built, does it show this > permission as missing, e.g. > sesearch -A -s my_domain -t logd
Sorry, you need to specify the path to the sepolicy file above, e.g. sesearch -A -s my_domain -t out/target/product/<board>/root/sepolicy Otherwise, it will try to use your host SELinux policy, if any. > > - Is the policy you built identical to the policy installed on the > device, e.g. > adb pull /sepolicy > cmp sepolicy out/target/product/<board>/root/sepolicy > > - How are you adding your domain to the policy, e.g. are you dropping > it in a device/<vendor>/<board>/sepolicy subdirectory and defining a > BOARD_SEPOLICY_DIRS variable in your BoardConfig.mk or similar? >
