This is an mls denial, s0:c512,c768 writing to s0 is a downgrade and not allowed unless either the subject or the object have an mls trusted attribute.
Without knowing more about the processes and directories involved it is hard to give advice but since the subject is untrusted_app it is not a good idea to make it mls trusted. On Wed, Dec 16, 2015 at 10:51 PM, Mendell, Mark P <[email protected]> wrote: > I am playing with some changes to the system, using Android 6.0. I am > getting log messages like: > > 12-16 22:11:27.051 10233 10233 W android.process.media: type=1400 > audit(0.0:972): avc: denied { write } for > comm=45786163742050726F66696C652042 name="XXX" dev="dm-0" ino=16300 > scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:YYY:s0 tclass=file > permissive=0 > > > > I find this to be confusing, as I have an explicit line in the > devices/…/sepolicy/untrusted_app.te: > > allow untrusted_app YYY:dir { search getattr }; > > allow untrusted_app YYY:file { rw_file_perms }; > > > > I also see the same problem with platform_app. Other uses of YYY work > perfectly for me (I spent quite a bit of time figuring this out by trial and > error). Only untrusted_app and platform_app are a problem. > > > > Can anyone help me figure this out? Are untrusted_app and platform_app > treated differently? I searched the generated policy.conf file, but didn’t > see anything that looked like it had anything that would override the allows > above. > > > > Thanks, > > > > Mark Mendell > > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
