On Mon, 2012-06-25 at 02:50 +0000, ken.masumitsu@xxxxxxxxxxxxx wrote:
> Hi,
>
> Thanks for your comments.
> I could change wallpaper by modifying file.te you suggested.
>
> However, I have one question.
> How do you find/investigate the deny comes from MSL?
>
> Because, though I interpreted the log as
> The object (wallpaper file) had no category and sensitivity of the
> object and the subject were same.
> The access was allowed by MLS.
> the guess was incorrect.
>
> ---------------------------------------------------------------------------------------
>
> <5>[ 508.922760] type=1400 audit(1340350990.015:190): avc: denied {
> write } for pid=565 comm=42696E646572205468726561642023
> path="/data/data/com.android.settings/files/wallpaper" dev=mmcblk0p12
> ino=578429 scontext=u:r:trusted_app:s0:c17
> tcontext=u:object_r:wallpaper_file:s0 tclass=file
> ---------------------------------------------------------------------------------------
The subject dominated the object due to its category set. Such a write
would have been a write-down and thus violated the BLP *-property. The
relevant constraint in the sepolicy/mls file was:
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write
setattr append unlink link rename }
(t2 == app_data_file or l1 domby l2 or t1 ==
mlstrustedsubject or t2 == mlstrustedobject);
Some helpful documentation written by others can be found at:
http://selinuxproject.org/page/NB_MLS
The book SELinux By Example may also be helpful in understanding the MLS
model and constraint syntax for SELinux.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
