From 2fbecbba4dcea125cae1b673368fad07eee67879 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 4 Jun 2014 13:56:22 -0400
Subject: [PATCH] Allow installd to stat asec files and /data/media files.

Addresses denials such as:
avc: denied { getattr } for comm="installd" path="/data/app-asec/com.vectorunit.red-1.asec" dev="dm-0" ino=578229 scontext=u:r:installd:s0 tcontext=u:object_r:asec_image_file:s0 tclass=file

avc:  denied  { getattr } for  pid=262 comm="installd" path="/data/media/0/Android/data/com.google.android.apps.maps/cache/cache_vts_tran_base_GMM.m" dev="dm-0" ino=124930 scontext=u:r:installd:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit d2622fda569d2a8decc0b4e013979a40a24a799d)

Change-Id: Iac46236ee583dee11a7e6518a9e8eca25c59e9ba
---
 installd.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/installd.te b/installd.te
index 3ce2c5d08..d17cd4773 100644
--- a/installd.te
+++ b/installd.te
@@ -17,8 +17,9 @@ selinux_check_context(installd)
 # Read /seapp_contexts and /data/security/seapp_contexts
 security_access_policy(installd)
 
-# Search /data/app-asec.
+# Search /data/app-asec and stat files in it.
 allow installd asec_image_file:dir search;
+allow installd asec_image_file:file getattr;
 
 # Create /data/user and /data/user/0 if necessary.
 # Also required to initially create /data/data subdirectories
@@ -29,7 +30,7 @@ allow installd system_data_file:lnk_file { create setattr unlink };
 
 # Upgrade /data/media for multi-user if necessary.
 allow installd media_rw_data_file:dir create_dir_perms;
-allow installd media_rw_data_file:file unlink;
+allow installd media_rw_data_file:file { getattr unlink };
 # restorecon new /data/media directory.
 allow installd system_data_file:dir relabelfrom;
 allow installd media_rw_data_file:dir relabelto;
-- 
GitLab