On Fri, 2012-06-22 at 08:31 -0400, Stephen Smalley wrote:
> On Fri, 2012-06-22 at 09:31 +0000, ken.masumitsu@xxxxxxxxxxxxx wrote:
> > Hi,
> >
> > I am working SEAndroid 4.0.4 on Galaxy Nexus.
> >
> > When I tried to change wallpaper, some denials appeared.
> >
> > ---------------------------------------------------------------------------------------
> > <5>[ 1038.038543] type=1400 audit(1340267126.382:1469): avc: denied {
> > write } for pid=380 comm=42696E646572205468726561642023
> > name="wallpaper" dev=mmcblk0p12 ino=578431 scontext=u:r:system:s0
> > tcontext=u:object_r:wallpaper_file:s0 tclass=file
> > <5>[ 1038.048278] type=1400 audit(1340267126.390:1470): avc: denied {
> > write } for pid=380 comm=42696E646572205468726561642023
> > path="/data/data/com.android.settings/files/wallpaper" dev=mmcblk0p12
> > ino=578431 scontext=u:r:trusted_app:s0:c17
> > tcontext=u:object_r:wallpaper_file:s0 tclass=file
> > ---------------------------------------------------------------------------------------
> >
> >
> > Though I added following lines to device/maguro/sepolicy.te,
> > ---------------------------------------------------------------------------------------
> > #============= system ==============
> > # src="system" tgt="wallpaper_file" class="file", perms="write"
> > # comm="2696E64657220546872656164202" exe="" path=""
> > allow system wallpaper_file:file write;
> >
> > #============= trusted_app ==============
> > # src="trusted_app" tgt="wallpaper_file" class="file", perms="write"
> > # comm="2696E64657220546872656164202" exe="" path=""
> > allow trusted_app wallpaper_file:file write;
> > ---------------------------------------------------------------------------------------
> >
> > still a denial appeared.
> > ---------------------------------------------------------------------------------------
> > <5>[ 508.922760] type=1400 audit(1340350990.015:190): avc: denied {
> > write } for pid=565 comm=42696E646572205468726561642023
> > path="/data/data/com.android.settings/files/wallpaper" dev=mmcblk0p12
> > ino=578429 scontext=u:r:trusted_app:s0:c17
> > tcontext=u:object_r:wallpaper_file:s0 tclass=file
> > ---------------------------------------------------------------------------------------
> >
> > Do you know that why does the denial appear? and How to resolve it?
>
> Need to add mlstrustedobject to wallpaper_file in order for apps at any
> level to write to it.
>
> diff --git a/file.te b/file.te
> index 4e3bd53..eb4c792 100644
> --- a/file.te
> +++ b/file.te
> @@ -54,7 +54,7 @@ type cache_file, file_type, mlstrustedobject;
> # Default type for anything under /efs
> type efs_file, file_type;
> # Type for wallpaper file.
> -type wallpaper_file, file_type;
> +type wallpaper_file, file_type, mlstrustedobject;
>
> # All devices have bluetooth efs files. But they
> # vary per device, so this type is used in per
I applied these changes to our policy, so you should get the updates
when you next sync your copy.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
