Label /dev/fscklogs and allow system_server access to it.

Otherwise you get denials such as: type=1400 audit(1383590310.430:623): avc: denied { getattr } for pid=1629 comm="Thread-78" path="/dev/fscklogs/log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file type=1400 audit(1383590310.430:624): avc: denied { open } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file type=1400 audit(1383590310.430:625): avc: denied { write } for pid=1629 comm="Thread-78" name="fscklogs" dev="tmpfs" ino=1628 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir type=1400 audit(1383590310.430:625): avc: denied { remove_name } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir type=1400 audit(1383590310.430:625): avc: denied { unlink } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file Change-Id: Ia7ae06a6d4cc5d2a59b8b85a5fb93cc31074fd37 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Label /dev/fscklogs and allow system_server access to it.
Otherwise you get denials such as: type=1400 audit(1383590310.430:623): avc: denied { getattr } for pid=1629 comm="Thread-78" path="/dev/fscklogs/log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file type=1400 audit(1383590310.430:624): avc: denied { open } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file type=1400 audit(1383590310.430:625): avc: denied { write } for pid=1629 comm="Thread-78" name="fscklogs" dev="tmpfs" ino=1628 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir type=1400 audit(1383590310.430:625): avc: denied { remove_name } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir type=1400 audit(1383590310.430:625): avc: denied { unlink } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file Change-Id: Ia7ae06a6d4cc5d2a59b8b85a5fb93cc31074fd37 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
af47ebb6 · Stephen Smalley · Nick Kralevich · 00739e3d · af47ebb6 · af47ebb6
Commit af47ebb6 authored 11 years ago by Stephen Smalley Committed by Nick Kralevich 11 years ago
--- a/device.te
+++ b/device.te
@@ -15,6 +15,7 @@ type radio_device, dev_type;
 type ram_device, dev_type;
 type console_device, dev_type;
 type cpuctl_device, dev_type;
+type fscklogs, dev_type;
 type full_device, dev_type;
 type graphics_device, dev_type;
 type hw_random_device, dev_type;

--- a/file_contexts
+++ b/file_contexts
@@ -45,6 +45,7 @@
 /dev/cpuctl(/.*)?	u:object_r:cpuctl_device:s0
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
+/dev/fscklogs(/.*)?	u:object_r:fscklogs:s0
 /dev/full		u:object_r:full_device:s0
 /dev/fuse		u:object_r:fuse_device:s0
 /dev/graphics(/.*)?	u:object_r:graphics_device:s0

--- a/system_server.te
+++ b/system_server.te
@@ -212,3 +212,8 @@ allow system_server hw_random_device:chr_file r_file_perms;
 # Access to wake locks
 allow system_server sysfs_wake_lock:file rw_file_perms;
+# Read and delete files under /dev/fscklogs.
+r_dir_file(system_server, fscklogs)
+allow system_server fscklogs:dir { write remove_name };
+allow system_server fscklogs:file unlink;