From 9cc6d8d581b6094b36c59a0e95d674cb193916e8 Mon Sep 17 00:00:00 2001
From: "jaejyn.shin" <jaejyn.shin@lge.com>
Date: Tue, 24 Dec 2013 08:59:53 +0900
Subject: [PATCH] Adding permissions needed to remove cache

During removing cache data using Zipper application, I found violation logs.

avc:  denied  { write } for  pid=198 comm="installd" name="cache" dev="mmcblk0p29" ino=81680 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir
avc:  denied  { remove_name } for  pid=198 comm="installd" name="downloadfile.apk" dev="mmcblk0p29" ino=82247 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir
avc:  denied  { unlink } for  pid=198 comm="installd" name="downloadfile.apk" dev="mmcblk0p29" ino=82247 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=file

Reproduction path is like below
1. Downloading Zipper application from Google Play (I used Zipper 1.9.9.2)
2. Clicking option and clicking "removing cache" button
3. Select "yes"
4. Violation show up

Change-Id: I7993f1d20e3aa4c3e19c4aba9b4bef6760831a87
---
 installd.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/installd.te b/installd.te
index 85ba69f88..7c7215871 100644
--- a/installd.te
+++ b/installd.te
@@ -16,8 +16,8 @@ allow installd apk_data_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
-allow installd download_file:dir { r_dir_perms };
-allow installd download_file:file { r_file_perms };
+allow installd download_file:dir { r_dir_perms write remove_name };
+allow installd download_file:file { r_file_perms unlink };
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
-- 
GitLab