From c3d43d2b47748f5e0278f01371398ed3e65ccdab Mon Sep 17 00:00:00 2001 From: rogersb11 Date: Thu, 12 Nov 2015 04:06:26 -0500 Subject: Revert "Remove device specific SEPolicy" Will follow with policy updates This reverts commit 8e368fa918f244e214ee8bd53ce332ce6ad74663. Change-Id: I58247300df68442709b44623e29b1bee0c6d5496 --- selinux/time_daemon.te | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 selinux/time_daemon.te (limited to 'selinux/time_daemon.te') diff --git a/selinux/time_daemon.te b/selinux/time_daemon.te new file mode 100644 index 0000000..5793197 --- /dev/null +++ b/selinux/time_daemon.te @@ -0,0 +1,21 @@ +# Policies for time daemon +type time_daemon, domain; +type time_daemon_exec, exec_type, file_type; +type time_data_file, file_type, data_file_type; + +# Make transition to its own time_daemon domain from init +init_daemon_domain(time_daemon) +allow time_daemon smem_log_device:chr_file rw_file_perms; + +# Add rules for access permissions +#============= IOCTL operations ============== +allow time_daemon rtc_device:chr_file { open read ioctl }; +allow time_daemon alarm_device:chr_file { open read write ioctl }; + +#============= File read/write ============== +allow time_daemon time_data_file:file { write create open read}; +allow time_daemon time_data_file:dir { write add_name search}; +allow time_daemon self:socket { write read create ioctl}; +allow time_daemon self:capability { setuid setgid }; + +r_dir_file(time_daemon, sysfs_esoc); -- cgit v1.2.3