New sensors-config selinux policy.
init.grouper.rc:
We chown both /data/sensors and /data/lightsensor
to avoid dac_override denials. sensors-config runs
as root and will otherwise generate denials
when trying to access /data/sensors and
/data/lightsensor. The sensors-config
binary does a chown to system,system
as its final operation.
sensors_config.te:
1) Allow executing toolbox:
denied { execute } for pid=139 comm="sensors-config" name="mksh" dev=mmcblk0p3 ino=194 scontext=u:r:sensors_config:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { read open } for pid=139 comm="sensors-config" name="mksh" dev=mmcblk0p3 ino=194 scontext=u:r:sensors_config:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { execute_no_trans } for pid=139 comm="sensors-config" path="/system/bin/mksh" dev=mmcblk0p3 ino=194 scontext=u:r:sensors_config:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { execute_no_trans } for pid=144 comm="sh" path="/system/bin/toolbox" dev=mmcblk0p3 ino=262 scontext=u:r:sensors_config:s0 tcontext=u:object_r:system_file:s0 tclass=file
2) Mounting and reading from PER block device:
denied { mounton } for pid=127 comm="sensors-config" path="/data/calibration" dev=mmcblk0p9 ino=225345 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sensors_data_file:s0 tclass=dir
denied { mount } for pid=127 comm="sensors-config" name="/" dev=mmcblk0p7 ino=1 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=filesystem
denied { unmount } for pid=128 comm="sensors-config" scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=filesystem
denied { read } for pid=127 comm="sensors-config" name="KXTF9_Calibration.ini" dev=mmcblk0p7 ino=113 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=file
denied { open } for pid=127 comm="sensors-config" name="KXTF9_Calibration.ini" dev=mmcblk0p7 ino=113 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=file
denied { getattr } for pid=128 comm="sensors-config" path="/data/calibration/sensors/KXTF9_Calibration.ini" dev=mmcblk0p7 ino=113 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=file
denied { search } for pid=128 comm="sensors-config" name="block" dev=tmpfs ino=5252 scontext=u:r:sensors_config:s0 tcontext=u:object_r:block_device:s0 tclass=dir
denied { search } for pid=127 comm="sensors-config" name="/" dev=mmcblk0p7 ino=1 scontext=u:r:sensors_config:s0 tcontext=u:object_r:sdcard_external:s0 tclass=dir
3) Chown and chmod /data/lightsensor, /data/sensors
denied { chown } for pid=408 comm="chown" capability=0 scontext=u:r:sensors_config:s0 tcontext=u:r:sensors_config:s0 tclass=capability
denied { fowner } for pid=403 comm="chmod" capability=3 scontext=u:r:sensors_config:s0 tcontext=u:r:sensors_config:s0 tclass=capability
4) Mount and umount commands
denied { sys_admin } for pid=128 comm="sensors-config" capability=21 scontext=u:r:sensors_config:s0 tcontext=u:r:sensors_config:s0 tclass=capability
Change-Id: I08a523766b9b55620c36fcc85793f1a27275edbc
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
diff --git a/init.grouper.rc b/init.grouper.rc
index b28ed51..ecba6b1 100644
--- a/init.grouper.rc
+++ b/init.grouper.rc
@@ -57,8 +57,14 @@
chown bluetooth net_bt_stack /data/misc/bluetooth
# sensors-config
- mkdir /data/sensors 751 system system
- mkdir /data/lightsensor 751 system system
+ mkdir /data/sensors 751
+ # /data/sensors was owned by system/system earlier.
+ # Force it to root/root if it already exists.
+ chown root root /data/sensors
+ mkdir /data/lightsensor 751
+ # /data/lightsensor was owned by system/system earlier.
+ # Force it to root/root if it already exists.
+ chown root root /data/lightsensor
mkdir /data/calibration
mkdir /data/amit