On Mon, Jul 30, 2012 at 10:33 AM, Haiqing Jiang <hqjiang1988@xxxxxxxxx> wrote:
The denial information is shown as below:<5>[ 2219.393524] type=1400 audit(1342221801.398:17): avc: denied { read } for pid=2687 comm="ationTestRunner" name="mtdblock0" dev=tmpfs ino=2562 scontext=u:r:untrusted_app:s0:c38 tcontext=u:object_r:block_device:s0 tclass=lnk_file
<5>[ 2219.399566] type=1400 audit(1342221801.406:18): avc: denied { read } for pid=2687 comm="ationTestRunner" name="radio" dev=tmpfs ino=2527 scontext=u:r:untrusted_app:s0:c38 tcontext=u:object_r:radio_device:s0 tclass=lnk_file
<5>[ 2005.011016] type=1400 audit(1342224760.046:32): avc: denied { read } for pid=7264 comm="onCtsTestRunner" name="events" dev=tmpfs ino=2902 scontext=u:r:untrusted_app:s0:c38 tcontext=u:object_r:log_device:s0 tclass=chr_file--On Mon, Jul 30, 2012 at 5:14 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
I don't think you want to allow all app domains to read all devices.On Fri, 2012-07-27 at 15:40 -0700, Haiqing Jiang wrote:
> ---
> cts.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/cts.te b/cts.te
> index 489be1a..ff8a9f0 100644
> --- a/cts.te
> +++ b/cts.te
> @@ -20,7 +20,7 @@ allow appdomain file_type:dir r_dir_perms;
> allow appdomain fs_type:dir r_dir_perms;
> allow appdomain dev_type:dir r_dir_perms;
> allow appdomain file_type:dir_file_class_set getattr;
> -allow appdomain dev_type:dir_file_class_set getattr;
> +allow appdomain dev_type:dir_file_class_set { getattr read };
> allow appdomain fs_type:dir_file_class_set getattr;
>
> # Execute the shell or other system executables.
Nor should that be required even for CTS. Which devices triggered
denials?
--
Stephen Smalley
National Security Agency
-----------------------------------Haiqing Jiang, PH.D studentComputer Science Department, North Carolina State University
-----------------------------------
Haiqing Jiang, PH.D studentComputer Science Department, North Carolina State University
