On 10/20/2014 08:03 AM, harish kavali wrote:
> Hi all,
>
> i had created a new directory in "/data/mydir" and labelled it in the
> file_contexts as
> /data/mydir(/.*)? u:object_r:my_data_file:s0
>
> in file.te i defined the new type as
> type my_data_file, file_type, data_file_type;
Add 'mlstrustedobject' here if you want it to be writable by apps
running at any level, e.g.
type my_data_file, file_type, data_file_type, mlstrustedobject;
>
> in my type enforcement file "myapp.te" i had added the following rule
> allow my_app my_data_file:dir create_dir_perms;
> allow my_app my_data_file:file create_file_perms;
> allow my_app my_data_file:file r_file_perms;
> allow my_app my_data_file:file w_file_perms;
create_file_perms is a superset of r_file_pems and w_file_perms so you
can omit the latter two lines.
>
> all the files are located in device/lge/hammerhead/sepolicy directory
>
> when i try to read a file from /data/mydir i am able to read it, but
> when i try to write to that file
> i am gettting avc denied error
> even i am unable to create a file in that /data/mydir
Please, in the future, show the actual avc message. But I am fairly
sure it is due to a level mismatch as above.
>
> my seapp_contexts contains
> user=_app seinfo=cdac domain=cdac_app type=app_data_file levelFrom=user
This doesn't align with your statements above; there you used my_app but
here you use cdac_app. Regardless, with levelFrom=user, you are being
assigned a unique MLS category set per Android user and therefore must
mark any types that should be writable with mlstrustedobject as well.
>
> Please help me in this issue i am using seandroid 4.4.4 branch
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
