This is happening due MLS contraints.
For the your app to access the socket , either you should declare cp_data_file
as mlstrustedobject or category of both the scontext and tcontext should be
same. Ie platform_app:s0:c512,c768
Since the category of both scontext and tcontext is different the allow rule is
not taking effect due to MLS contraints
In file sepolicy/mls
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
(t2 == app_data_file or l1 eq l2 or t1 ==
mlstrustedsubject or t2 == mlstrustedobject);
(Better to label your socket as cp_socket)
type cp_socket, file_type, mlstrustedobject;
Thanks.
From: Seandroid-list [mailto:[email protected]] On Behalf Of
Sameer Joshi
Sent: Monday, May 30, 2016 4:45 PM
To: [email protected]
Subject: Issue with platform_app
Hi,
My native process written in C++ and started through init.rc , and a platform
app service running in Android , both communicate using a unix socket.
I have kept that socket in a directory /data/cp/ which has been defined in
file_contexts as cp_data_file.
The socket path is /data/cp/my_sock.
Now I want to give the platform app service running in dalivik , access to this
socket to write to.
I did that using following line in platform_app.te :
allow platform_app cp_data_file:sock_file write
Still there are following denials being thrown by the SELinux:
type=1400 audit(1464606790.906:181): avc: denied { write } for pid=1599
comm="Thread-274" name="my_sock" dev="mtdblock1" ino=42267
scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:cp_data_file:s0
tclass=sock_file permissive=0
Please help me why this rule is not working in platform_app.te. Everything
works well with compilation, but there seems to be issue with allowing the
platform_app to give access to this file.
Regards,
Sameer Joshi
-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may
contain
confidential information. Any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recipient, please contact the
sender by
reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
