diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-09-30 13:09:55 -0400 |
|---|---|---|
| committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-09-30 13:49:58 -0400 |
| commit | cedee697c3683ac267c0933200e6727f0910d2e6 (patch) | |
| tree | 1ddcc1b21fb426728cfde95dd033f04ea8ad8833 /fsck.te | |
| parent | 92dfa31f7800ff9184e8525dfd471211c90b9d31 (diff) | |
| download | android_external_sepolicy-cedee697c3683ac267c0933200e6727f0910d2e6.tar.gz android_external_sepolicy-cedee697c3683ac267c0933200e6727f0910d2e6.tar.bz2 android_external_sepolicy-cedee697c3683ac267c0933200e6727f0910d2e6.zip | |
Fix fsck-related denials with encrypted userdata.
Allow error reporting via the pty supplied by init.
Allow vold to invoke fsck for checking volumes.
Addresses denials such as:
avc: denied { ioctl } for pid=133 comm="e2fsck" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:fsck:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file
avc: denied { execute } for pid=201 comm="vold" name="e2fsck" dev="mmcblk0p25" ino=98 scontext=u:r:vold:s0 tcontext=u:object_r:fsck_exec:s0 tclass=file
These denials show up if you have encrypted userdata.
Change-Id: Idc8e6f83a0751f17cde0ee5e4b1fbd6efe164e4c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'fsck.te')
| -rw-r--r-- | fsck.te | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -10,7 +10,7 @@ init_daemon_domain(fsck) allow fsck tmpfs:chr_file { read write ioctl }; # Inherit and use pty created by android_fork_execvp_ext(). -allow fsck devpts:chr_file { read write }; +allow fsck devpts:chr_file { read write ioctl }; # Run e2fsck on block devices. # TODO: Assign userdata and cache block device types to the corresponding |