On 09/14/2018 04:31 AM, Sameer Joshi wrote:
Hi ,
We are trying to have our own way of generating debug report and for
that we are running a script from settings app , after "Generate report"
is pressed. We are using Android 8.1 for this scenario.
In this case , we are trying to create new files in "/tmp" directory.
Use of a global /tmp is insecure. Create files in the app's data
directory instead.
We get the following denials:
09-14 12:24:01.174 4592 4592 W media_report.sh: type=1400
audit(0.0:53): avc: denied { create } for name="audio_result"
scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_tmpfs:s0
tclass=file permissive=0
09-14 12:24:01.174 4592 4592 W media_report.sh: type=1400
audit(0.0:54): avc: denied { create } for name="audio_params"
scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_tmpfs:s0
tclass=file permissive=0
Using audit2allow , gives the following rules:
#============= system_app ==============
allow system_app system_app_tmpfs:file create;
Adding this rule into system_app.te gives following error during
compilation.
FAILED:
out/target/product/brio/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_raw.cil
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0
out/host/linux-x86/bin/checkpolicy -C -M -c 30 -o
out/target/product/brio/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_raw.cil.tmp
out/target/product/brio/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy.conf
) && (grep -Fxv -f
out/target/product/brio/obj/FAKE/selinux_policy_intermediates/reqd_policy_mask.cil
out/target/product/brio/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_raw.cil.tmp
>
out/target/product/brio/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_raw.cil
)"
*device/avaya/brio/sepolicy/system_app.te:38:ERROR 'unknown type
system_app_tmpfs' at token ';' on line 26169:*
*#============= system_app ==============*
*allow system_app system_app_tmpfs:file create;*
checkpolicy: error(s) encountered while parsing configuration
Can anyone help to know how to solve this problem?
I think this is due to system_app_tmpfs being defined as part of the
platform private sepolicy, and thus not being exported to the
non-platform policy. Regardless, you shouldn't be allowing this.
Regards,
Sameer Joshi
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
