Fix miscellaneous long-tail denials.

Change-Id: Ie0947f79c63f962220d3c9316c5d5d82f677821f

Fix miscellaneous long-tail denials.
d615ef34 · Geremy Condra · fc2bd01b · d615ef34 · d615ef34
Commit d615ef34 authored 11 years ago by Geremy Condra
--- a/installd.te
+++ b/installd.te
@@ -11,11 +11,12 @@ allow installd system_data_file:lnk_file create;
 allow installd dalvikcache_data_file:file create_file_perms;
 allow installd data_file_type:dir create_dir_perms;
 allow installd data_file_type:dir { relabelfrom relabelto };
-allow installd data_file_type:{ file lnk_file } { getattr unlink };
+allow installd data_file_type:{ file lnk_file sock_file } { getattr unlink };
 allow installd apk_data_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
+allow installd download_file:dir { read getattr };
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)

--- a/zygote.te
+++ b/zygote.te
@@ -5,7 +5,7 @@ type zygote_exec, exec_type, file_type;
 init_daemon_domain(zygote)
 typeattribute zygote mlstrustedsubject;
 # Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid };
+allow zygote self:capability { dac_override setgid setuid fowner };
 # Drop capabilities from bounding set.
 allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.