sepolicy: address fingerprintd denials

Allow avc: denied { search } for comm="fingerprintd" name="/" dev="mmcblk0p24" ino=2 scontext=u:r:fingerprintd:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=0 Dir search denials typically precedes file access denials. Temporarily put fingerprintd into permissive to collect additional denials. Bug: 23617307 Change-Id: I6489629437beed9f45bc1b32c1501af236f0f952
author: Jeff Vander Stoep <jeffv@google.com> 2015-08-28 09:01:46 -0700
committer: Jeff Vander Stoep <jeffv@google.com> 2015-08-28 09:48:18 -0700
commit: 53c701d91550035f5bc8384f4622f0a3aa9f86bc (patch)
tree: 8b7766500f11e5c4f1279258b4a77f71ba238e85 /sepolicy
parent: 7bdcefcfdbbe85cd9c502acd95920340e26294b3 (diff)
download: bullhead-53c701d91550035f5bc8384f4622f0a3aa9f86bc.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te
index 86921a2..24d6e63 100644
--- a/sepolicy/fingerprintd.te
+++ b/sepolicy/fingerprintd.te
@@ -1,3 +1,6 @@
+# STOPSHIP: all domains must be in enforcing mode.
+permissive fingerprintd;
+
 binder_service(fingerprintd)
 
 # Access to /dev/tee
@@ -10,3 +13,6 @@ allow fingerprintd input_device:chr_file r_file_perms;
 # read clk_enable and wakeup_enable in /sys/devices/soc.0/f9966000.spi_fpc/
 allow fingerprintd sysfs_devices_fingerprint:dir r_dir_perms;
 allow fingerprintd sysfs_devices_fingerprint:file rw_file_perms;
+
+# allow access to /persist
+allow fingerprintd persist_file:dir search;
author	Jeff Vander Stoep <jeffv@google.com>	2015-08-28 09:01:46 -0700
committer	Jeff Vander Stoep <jeffv@google.com>	2015-08-28 09:48:18 -0700
commit	53c701d91550035f5bc8384f4622f0a3aa9f86bc (patch)
tree	8b7766500f11e5c4f1279258b4a77f71ba238e85 /sepolicy
parent	7bdcefcfdbbe85cd9c502acd95920340e26294b3 (diff)
download	bullhead-53c701d91550035f5bc8384f4622f0a3aa9f86bc.tar.gz