diff options
author | Jorge Lucangeli Obes <jorgelo@google.com> | 2016-02-17 16:46:53 -0800 |
---|---|---|
committer | Jorge Lucangeli Obes <jorgelo@google.com> | 2016-02-17 16:55:18 -0800 |
commit | 49bdedb0883fb72e17a59b8bb0a09b369c259b01 (patch) | |
tree | ed63e3a7ca7279714f23cace417fee9cd2cf5c48 | |
parent | 902b45cc705d8272a7760bf5e215bab146d1deee (diff) | |
download | brillo-49bdedb0883fb72e17a59b8bb0a09b369c259b01.tar.gz |
Update sensorservice SELinux policy.
-Use 'r_dir_file' macros to simplify policy lines.
+This fixes a denial on sysfs:lnk_file.
-Remove 'servicemanager sensorservice' lines.
+There should be no references to 'sensorservice:{dir,file}' since
'sensorservice' is not a file label.
Bug: 27229987
Change-Id: Ib6d501680f789e940ff33ddfb4db16b946716823
-rw-r--r-- | sepolicy/sensorservice.te | 13 |
1 files changed, 2 insertions, 11 deletions
diff --git a/sepolicy/sensorservice.te b/sepolicy/sensorservice.te index d21c272..88ce2c7 100644 --- a/sepolicy/sensorservice.te +++ b/sepolicy/sensorservice.te @@ -7,21 +7,12 @@ brillo_domain(sensorservice) allow sensorservice sensorservice_service:service_manager add; allow sensorservice servicemanager:binder { transfer call }; -# Allow servicemanager to access sensorservice. -allow servicemanager sensorservice:dir search; -allow servicemanager sensorservice:file r_file_perms; -allow servicemanager sensorservice:process getattr; - # Allow crash_reporter access to core dump files. allow_crash_reporter(sensorservice) allow sensorservice cpuctl_device:dir search; -allow sensorservice proc_net:dir search; -allow sensorservice proc_net:file r_file_perms; - -allow sensorservice sysfs:dir r_dir_perms; -allow sensorservice sysfs:file r_file_perms; -allow sensorservice sysfs:lnk_file read; +r_dir_file(sensorservice, proc_net) +r_dir_file(sensorservice, sysfs) allow sensorservice self:capability { net_admin sys_nice }; |