<5>[ 76.435272] type=1400 audit(1342043186.382:4): avc: denied { read } for pid=815 comm=42696E646572205468726561642023 name="CtsTestStubs.apk" dev=mmcblk0p12 ino=667811 scontext=u:r:untrusted_app:s0:c9 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 76.435516] type=1400 audit(1342043186.382:5): avc: denied { open } for pid=815 comm=42696E646572205468726561642023 name="CtsTestStubs.apk" dev=mmcblk0p12 ino=667811 scontext=u:r:untrusted_app:s0:c9 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 76.472808] type=1400 audit(1342043186.421:6): avc: denied { read write } for pid=206 comm="PackageManager" path="/data/app/vmdl-400972190.tmp" dev=mmcblk0p12 ino=781829 scontext=u:r:untrusted_app:s0:c9 tcontext=u:object_r:apk_tmp_file:s0 tclass=file
<5>[ 97.407379] type=1400 audit(1342043207.359:7): avc: denied { read } for pid=814 comm=42696E646572205468726561642023 name="CtsAppTestCases.apk" dev=mmcblk0p12 ino=667812 scontext=u:r:untrusted_app:s0:c9 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 97.407562] type=1400 audit(1342043207.359:8): avc: denied { open } for pid=814 comm=42696E646572205468726561642023 name="CtsAppTestCases.apk" dev=mmcblk0p12 ino=667812 scontext=u:r:untrusted_app:s0:c9 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 97.410003] type=1400 audit(1342043207.359:9): avc: denied { read write } for pid=206 comm="PackageManager" path="/data/app/vmdl1671180406.tmp" dev=mmcblk0p12 ino=781831 scontext=u:r:untrusted_app:s0:c9 tcontext=u:object_r:apk_tmp_file:s0 tclass=file
<5>[ 76.435516] type=1400 audit(1342043186.382:5): avc: denied { open } for pid=815 comm=42696E646572205468726561642023 name="CtsTestStubs.apk" dev=mmcblk0p12 ino=667811 scontext=u:r:untrusted_app:s0:c9 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 76.472808] type=1400 audit(1342043186.421:6): avc: denied { read write } for pid=206 comm="PackageManager" path="/data/app/vmdl-400972190.tmp" dev=mmcblk0p12 ino=781829 scontext=u:r:untrusted_app:s0:c9 tcontext=u:object_r:apk_tmp_file:s0 tclass=file
<5>[ 97.407379] type=1400 audit(1342043207.359:7): avc: denied { read } for pid=814 comm=42696E646572205468726561642023 name="CtsAppTestCases.apk" dev=mmcblk0p12 ino=667812 scontext=u:r:untrusted_app:s0:c9 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 97.407562] type=1400 audit(1342043207.359:8): avc: denied { open } for pid=814 comm=42696E646572205468726561642023 name="CtsAppTestCases.apk" dev=mmcblk0p12 ino=667812 scontext=u:r:untrusted_app:s0:c9 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 97.410003] type=1400 audit(1342043207.359:9): avc: denied { read write } for pid=206 comm="PackageManager" path="/data/app/vmdl1671180406.tmp" dev=mmcblk0p12 ino=781831 scontext=u:r:untrusted_app:s0:c9 tcontext=u:object_r:apk_tmp_file:s0 tclass=file
On Mon, Jul 30, 2012 at 5:55 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Fri, 2012-07-27 at 15:13 -0700, Haiqing Jiang wrote:Applied. However, for each such denial, we need to consider whether
> ---
> cts.te | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
these should only be allowed for CTS purposes or whether they belong as
part of the base policy in general (and if the latter, whether they are
required for all app domains or just some of them).
Stephen Smalley
> diff --git a/cts.te b/cts.te
> index 3600e94..489be1a 100644
> --- a/cts.te
> +++ b/cts.te
> @@ -27,6 +27,10 @@ allow appdomain fs_type:dir_file_class_set getattr;
> allow appdomain shell_exec:file rx_file_perms;
> allow appdomain system_file:file rx_file_perms;
>
> +# Accesses to apk_tmp_file and shell_data_file
> +allow appdomain apk_tmp_file:file rw_file_perms;
> +allow appdomain shell_data_file:file r_file_perms;
> +
> # Read routing information.
> allow netdomain self:netlink_route_socket { create read write nlmsg_read };
>
--
National Security Agency
-----------------------------------
Haiqing Jiang, PH.D studentComputer Science Department, North Carolina State University
