On Fri, 2012-06-22 at 09:31 +0000, ken.masumitsu@xxxxxxxxxxxxx wrote:
> Hi,
>
> I am working SEAndroid 4.0.4 on Galaxy Nexus.
>
> When I tried to change wallpaper, some denials appeared.
>
> ---------------------------------------------------------------------------------------
> <5>[ 1038.038543] type=1400 audit(1340267126.382:1469): avc: denied {
> write } for pid=380 comm=42696E646572205468726561642023
> name="wallpaper" dev=mmcblk0p12 ino=578431 scontext=u:r:system:s0
> tcontext=u:object_r:wallpaper_file:s0 tclass=file
> <5>[ 1038.048278] type=1400 audit(1340267126.390:1470): avc: denied {
> write } for pid=380 comm=42696E646572205468726561642023
> path="/data/data/com.android.settings/files/wallpaper" dev=mmcblk0p12
> ino=578431 scontext=u:r:trusted_app:s0:c17
> tcontext=u:object_r:wallpaper_file:s0 tclass=file
> ---------------------------------------------------------------------------------------
>
>
> Though I added following lines to device/maguro/sepolicy.te,
> ---------------------------------------------------------------------------------------
> #============= system ==============
> # src="system" tgt="wallpaper_file" class="file", perms="write"
> # comm="2696E64657220546872656164202" exe="" path=""
> allow system wallpaper_file:file write;
>
> #============= trusted_app ==============
> # src="trusted_app" tgt="wallpaper_file" class="file", perms="write"
> # comm="2696E64657220546872656164202" exe="" path=""
> allow trusted_app wallpaper_file:file write;
> ---------------------------------------------------------------------------------------
>
> still a denial appeared.
> ---------------------------------------------------------------------------------------
> <5>[ 508.922760] type=1400 audit(1340350990.015:190): avc: denied {
> write } for pid=565 comm=42696E646572205468726561642023
> path="/data/data/com.android.settings/files/wallpaper" dev=mmcblk0p12
> ino=578429 scontext=u:r:trusted_app:s0:c17
> tcontext=u:object_r:wallpaper_file:s0 tclass=file
> ---------------------------------------------------------------------------------------
>
> Do you know that why does the denial appear? and How to resolve it?
Need to add mlstrustedobject to wallpaper_file in order for apps at any
level to write to it.
diff --git a/file.te b/file.te
index 4e3bd53..eb4c792 100644
--- a/file.te
+++ b/file.te
@@ -54,7 +54,7 @@ type cache_file, file_type, mlstrustedobject;
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
-type wallpaper_file, file_type;
+type wallpaper_file, file_type, mlstrustedobject;
# All devices have bluetooth efs files. But they
# vary per device, so this type is used in per
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
