On Fri, 2012-03-02 at 16:13 -0600, Bryan Hinton wrote: > Thank you for the feedback. An updated patch for inclusion into the > sepolicy tree, is below. > My replies to your comments are below the patch. Thanks, a few comments below. > @@ -35,6 +37,7 @@ > /dev/mtd/mtd5ro u:object_r:radio_device:s0 > /dev/mtp_usb u:object_r:mtp_device:s0 > /dev/pn544 u:object_r:nfc_device:s0 > +/dev/ttyO3 u:object_r:nfc_device:s0 I suspect this one should go into a separate sepolicy.fc file for the device, now that we have support for such files. > @@ -66,7 +69,8 @@ > /dev/socket/zygote u:object_r:zygote_socket:s0 > /dev/spdif_out.* u:object_r:audio_device:s0 > /dev/tegra.* u:object_r:video_device:s0 > -/dev/tty[0-9]* u:object_r:tty_device:s0 > +/dev/tty[0-2]* u:object_r:tty_device:s0 > +/dev/tty[4-9]* u:object_r:tty_device:s0 Not necessary; a fully specified (no regex) pathname will always take precedence over a regex, and a later entry will take precedence over an earlier one. So it should suffice to have the /dev/tty03 in your sepolicy.fc file for the device. > @@ -116,10 +120,15 @@ > /data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0 > # App sandboxes > /data/data/.* u:object_r:app_data_file:s0 > +/data/data/com.android.providers.telephony/databases(/.*)? > u:object_r:radio_data_file:s0 > +/data/data/com.android.providers.telephony/(optable\.db)? > u:object_r:radio_data_file:s0 The last pathname regex doesn't seem right. If you just want optable.db, then drop the parens and ?; if you want everything under the directory, then you can just use (/.*)?. Also, your patch was line wrapped and thus can't be applied. Make sure you use preformat or equivalent in your mail client or directly send via git send-email. > + > ############################# > # efs files > # > /efs(/.*)? u:object_r:efs_file:s0 > +/data/radio/nv_data.bin.* u:object_r:radio_data_file:s0 > +/factory/nv_data.bin.* u:object_r:radio_data_file:s0 I suspect these will go into your sepolicy.fc file for the device. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
