DAC permissions.... You would need MAC permission DAC_override.
You should invoke the command as su... So you transition to the su domain.
Bill
On Oct 2, 2013 2:08 PM, "Tai Nguyen (tainguye)" <taing...@cisco.com> wrote:
> All,
>
> We have the following rules
>
> allow shell shell_data_file:dir create_dir_perms;
> allow shell shell_data_file:file create_file_perms;
>
> But we still got permission denied
>
> root@android:/data/local # ls -Z
> drwxrwx--x shell shell u:object_r:shell_data_file:s0 tmp
> drwxr-xr-x root net_admin u:object_r:system_data_file:s0 udev
>
> root@android:/data/local # id
> uid=0(root) gid=0(root) context=u:r:shell:s0
>
> root@android:/data/local # ls -Z tmp
> opendir failed, Permission denied
>
>
> The audit.log file shows
> audit(1380736858.382:29): avc: denied { dac_override } for pid=11062
> comm="ls" capability=1 scontext=u:r:shell:s0 tcontext=u:r:shell:s0
> tclass=capability
> audit(1380736858.390:30): avc: denied { dac_read_search } for pid=11062
> comm="ls" capability=2 scontext=u:r:shell:s0 tcontext=u:r:shell:s0
> tclass=capability
> root@android:/data/misc/audit #
>
> What are we missing?
>
> Thanks
>
