From eb6656ce0ddc583c4cd6f4e47271f05376ccff53 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 7 Jan 2016 16:11:53 -0800
Subject: [PATCH] priv_app.te: refine cache_recovery_file auditallow rules

priv_app reads from /cache/recovery, but I'm still not sure if
it writes. Eliminate the read auditallow rules and allow the
writes to show up (if any).

Eliminates the following auditallow messages:

  avc: granted { search } for comm="IntentService[S" name="recovery" dev="mmcblk0p38" ino=12 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
  avc: granted { getattr } for comm="Thread-1" path="/cache/recovery/last_install" dev="mmcblk0p27" ino=29891 scontext=u:r:priv_app:s0:c525,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=file
  avc: granted { read open } for comm="Thread-1" name="recovery" dev="mmcblk0p27" ino=29889 scontext=u:r:priv_app:s0:c525,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir

Change-Id: Ibc0640f5366aae50e3fd09d17657374390b24a5c
---
 priv_app.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/priv_app.te b/priv_app.te
index 709904475..bd98ab7a0 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -36,8 +36,8 @@ allow priv_app mnt_media_rw_file:dir search;
 allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
 allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
 
-auditallow priv_app cache_recovery_file:dir create_dir_perms;
-auditallow priv_app cache_recovery_file:file create_file_perms;
+auditallow priv_app cache_recovery_file:dir no_w_dir_perms;
+auditallow priv_app cache_recovery_file:file no_w_file_perms;
 
 # Access to /data/media.
 allow priv_app media_rw_data_file:dir create_dir_perms;
-- 
GitLab