95ccd22dad58afdb341ad5b6274969529968f810 - device/google/cuttlefish

commit	95ccd22dad58afdb341ad5b6274969529968f810	[log] [tgz]
author	Alex Klyubin <klyubin@google.com>	Fri Aug 25 16:07:01 2017 -0700
committer	Alex Klyubin <klyubin@google.com>	Fri Aug 25 16:14:09 2017 -0700
tree	57f5f91cbcce0284914fa67ac1d1520aeccec2e0
parent	5b4b264a0cb8c211d2adca0095e86473fae21849 [diff]

Address orientation changes sepolicy denials

Turns out vnc_server communicates with system_server over a Unix domain
socket /var/run/system/sensors_hal_socket. This will hopefully go away
soon -- see b/65062047.

denied { write } for comm="system-server-i" name="system" dev="tmpfs" scontext=u:r:system_server:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
denied { add_name } for comm="system-server-i" name="sensors_hal_socket" scontext=u:r:system_server:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
denied { create } for comm="system-server-i" name="sensors_hal_socket" scontext=u:r:system_server:s0 tcontext=u:object_r:tmpfs:s0 tclass=sock_file
denied { setattr } for comm="system-server-i" name="sensors_hal_socket" dev="tmpfs" scontext=u:r:system_server:s0 tcontext=u:object_r:tmpfs:s0 tclass=sock_file

denied { write } for comm="vnc_server" name="sensors_hal_socket" dev="tmpfs" scontext=u:r:vnc_server:s0 tcontext=u:object_r:tmpfs:s0 tclass=sock_file
denied { connectto } for comm="vnc_server" path="/var/run/system/sensors_hal_socket" scontext=u:r:vnc_server:s0 tcontext=u:r:system_server:s0 tclass=unix_stream_socket
denied { search } for pid=1605 comm="vnc_server" name="system" dev="tmpfs" ino=6486 scontext=u:r:vnc_server:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir

Test: Device boots, VNC works fine, incl. orientation changes between
      portrait and landscape. No SELinux denials to do with
      system_server or vnc_server.
Bug: 28053261

Change-Id: I23f0b23b6a92cc8f2f907551bc5f76dd69bd7a51

4 files changed

tree: 57f5f91cbcce0284914fa67ac1d1520aeccec2e0