Allow installd to stat asec files and /data/media files.

Addresses denials such as: avc: denied { getattr } for comm="installd" path="/data/app-asec/com.vectorunit.red-1.asec" dev="dm-0" ino=578229 scontext=u:r:installd:s0 tcontext=u:object_r:asec_image_file:s0 tclass=file avc: denied { getattr } for pid=262 comm="installd" path="/data/media/0/Android/data/com.google.android.apps.maps/cache/cache_vts_tran_base_GMM.m" dev="dm-0" ino=124930 scontext=u:r:installd:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file Change-Id: I406f1bea32736e2277adae1629a879fac0d714b6 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow installd to stat asec files and /data/media files.
d2622fda · Stephen Smalley · 84ed890a · d2622fda
Commit d2622fda authored 10 years ago by Stephen Smalley
--- a/installd.te
+++ b/installd.te
@@ -19,8 +19,9 @@ selinux_check_context(installd)
 # Read /seapp_contexts and /data/security/seapp_contexts
 security_access_policy(installd)

-# Search /data/app-asec.
+# Search /data/app-asec and stat files in it.
 allow installd asec_image_file:dir search;
+allow installd asec_image_file:file getattr;

 # Create /data/user and /data/user/0 if necessary.
 # Also required to initially create /data/data subdirectories
@@ -31,7 +32,7 @@ allow installd system_data_file:lnk_file { create setattr unlink };

 # Upgrade /data/media for multi-user if necessary.
 allow installd media_rw_data_file:dir create_dir_perms;
-allow installd media_rw_data_file:file unlink;
+allow installd media_rw_data_file:file { getattr unlink };
 # restorecon new /data/media directory.
 allow installd system_data_file:dir relabelfrom;
 allow installd media_rw_data_file:dir relabelto;