public/hal_bootctl.te · f60ccadf1842c24e7b5dee8c9da9905575a457ee · CodeLinaro / public-release-test / platform / system / sepolicy · GitLab

Snippets Groups Projects

Hide sys_rawio SELinux denials. · bf4afae1

Joel Galenson authored 7 years ago

We often see the following denials:

avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0
avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0

These are benign, so we are hiding them.

Bug: 37778617
Test: Boot device.
Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a

bf4afae1

hal_bootctl.te 335 B

# HwBinder IPC from client to server, and callbacks
binder_call(hal_bootctl_client, hal_bootctl_server)
binder_call(hal_bootctl_server, hal_bootctl_client)

add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;

dontaudit hal_bootctl self:capability sys_rawio;