Allow installd to stat asec files and /data/media files.

Addresses denials such as: avc: denied { getattr } for comm="installd" path="/data/app-asec/com.vectorunit.red-1.asec" dev="dm-0" ino=578229 scontext=u:r:installd:s0 tcontext=u:object_r:asec_image_file:s0 tclass=file avc: denied { getattr } for pid=262 comm="installd" path="/data/media/0/Android/data/com.google.android.apps.maps/cache/cache_vts_tran_base_GMM.m" dev="dm-0" ino=124930 scontext=u:r:installd:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit d2622fda) Change-Id: Iac46236ee583dee11a7e6518a9e8eca25c59e9ba

Allow installd to stat asec files and /data/media files.
2fbecbba · Stephen Smalley · Nick Kralevich · f1b92488 · 2fbecbba
Commit 2fbecbba authored 10 years ago by Stephen Smalley Committed by Nick Kralevich 10 years ago
--- a/installd.te
+++ b/installd.te
@@ -17,8 +17,9 @@ selinux_check_context(installd)
 # Read /seapp_contexts and /data/security/seapp_contexts
 security_access_policy(installd)
-# Search /data/app-asec.
+# Search /data/app-asec and stat files in it.
 allow installd asec_image_file:dir search;
+allow installd asec_image_file:file getattr;
 # Create /data/user and /data/user/0 if necessary.
 # Also required to initially create /data/data subdirectories
@@ -29,7 +30,7 @@ allow installd system_data_file:lnk_file { create setattr unlink };
 # Upgrade /data/media for multi-user if necessary.
 allow installd media_rw_data_file:dir create_dir_perms;
-allow installd media_rw_data_file:file unlink;
+allow installd media_rw_data_file:file { getattr unlink };
 # restorecon new /data/media directory.
 allow installd system_data_file:dir relabelfrom;
 allow installd media_rw_data_file:dir relabelto;