diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2015-07-28 15:50:13 -0700 |
---|---|---|
committer | Jeff Vander Stoep <jeffv@google.com> | 2015-07-28 16:38:57 -0700 |
commit | 0dfebcc338e789473692a1e85042c9877c926abd (patch) | |
tree | 43f2046576f3fc54b21b493ec7aeb6d854c81644 /sepolicy | |
parent | 447f98b80ae1df0d5176c809f0a42d0699e87795 (diff) | |
download | bullhead-0dfebcc338e789473692a1e85042c9877c926abd.tar.gz |
selinux: label fingerprint data files
/data/fpc and /data/fpc_tpl should have the fingerprintd_data_file label
Have init create /data/fpc to avoid giving tee dir write permissions
to system_data_file.
avc: denied { write } for pid=406 comm="qseecomd" name="/" dev="dm-2" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
avc: denied { add_name } for pid=406 comm="qseecomd" name="fpc" scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
avc: denied { create } for pid=406 comm="qseecomd" name="fpc" scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
avc: denied { create } for pid=406 comm="qseecomd" name="global.db" scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1
avc: denied { write open } for pid=406 comm="qseecomd" path="/data/fpc/global.db" dev="dm-2" ino=662258 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1
Bug: 22416042
Change-Id: I3a8d40f10998fd60eb779ebdbb4a9d5a11274341
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/file_contexts | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index f7b2ead..8e1e3f7 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -10,6 +10,7 @@ /data/time(/.*)? u:object_r:time_data_file:s0 /data/ramdump(/.*)? u:object_r:ramdump_data_file:s0 /data/diag_logs(/.*)? u:object_r:diag_logs:s0 +/data/fpc.* u:object_r:fingerprintd_data_file:s0 # GPU device /dev/kgsl-3d0 u:object_r:gpu_device:s0 |