I'm working on a custom build based on Android 6.0.1 for Nexus 7. This custom build adds a special daemon that is started from init.rc and exposes some API to applications. Particularly, one of available methods creates a new file at /data/daemon_dir and returns a file descriptor making it possible to write to this file from an app.
The daemon has its own SELinux context (here it's named custom_daemon). And /data/daemon_dir has custom_daemon_file context. There are sepolicy rules that grant file creation to the daemon and file writes to untrusted_app. The configuration described above worked on Android 5. But after merging with Android 6, I'm getting the following denial: 07-11 21:57:46.735 13389-13389/? W/Binder_2: type=1400 audit(0.0:945): avc: denied { write } for path="/data/daemon_dir/some_file" dev="mmcblk0p30" ino=496817 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:custom_daemon_file:s0 tclass=file permissive=0 Here are the rules that should allow the operation: allow untrusted_app custom_daemon_file:file rw_file_perms; allow untrusted_app custom_daemon_file:dir r_dir_perms; allow custom_daemon custom_daemon_file:dir create_dir_perms; allow custom_daemon custom_daemon_file:file create_file_perms; An interesting thing in this denial report is that scontext is untrusted_app. But the denial is logged for the daemon process (13389 is one of its thread IDs and Binder_2 is a name of the binder thread that handles the API call). I believe this mismatch is what is causing the denial but cannot understand why this happens and how this can be fixed. -- -- unsubscribe: android-porting+unsubscr...@googlegroups.com website: http://groups.google.com/group/android-porting --- You received this message because you are subscribed to the Google Groups "android-porting" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-porting+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.