Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / 5fef2de32079337d99f4515fa3a70cb2faed1305^! / . / shell.te
commit5fef2de32079337d99f4515fa3a70cb2faed1305[log] [tgz]
authordcashman <dcashman@google.com>Fri Jan 23 15:55:42 2015 -0800
committerdcashman <dcashman@google.com>Fri Jan 23 16:06:13 2015 -0800
tree6d987a67e7763ef00c1b46a4ad21dfc0dbfc171a
parent0f0324cc826afb9beefda802d496befe823a081e [diff] [blame]
Allow shell to find all services.

dumpsys from shell results in many denials:
11-08 02:52:13.087   171   171 E SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.089   171   171 E SELinux : avc:  denied  { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager
11-08 02:52:13.093   171   171 E SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
11-08 02:52:13.103   171   171 E SELinux : avc:  denied  { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.104   171   171 E SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.114   171   171 E SELinux : avc:  denied  { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.114   171   171 E SELinux : avc:  denied  { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.118   171   171 E SELinux : avc:  denied  { find } for service=nfc scontext=u:r:shell:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager
11-08 02:52:13.130   171   171 E SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.379   171   171 E SELinux : avc:  denied  { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager
11-08 02:52:13.388   171   171 E SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
11-08 02:52:13.574   171   171 E SELinux : avc:  denied  { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.576   171   171 E SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
11-08 02:52:13.712   171   171 E SELinux : avc:  denied  { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.712   171   171 E SELinux : avc:  denied  { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager

Bug: 18799966
Change-Id: Id2bf69230338ac9dd45dc5d70f419fa41056e4fc

diff --git a/shell.te b/shell.te
index f5b551b..6af3717 100644
--- a/shell.te
+++ b/shell.te

@@ -47,9 +47,6 @@
 allow shell debug_prop:property_service set;
 allow shell powerctl_prop:property_service set;
 
-allow shell system_server_service:service_manager find;
-allow shell tmp_system_server_service:service_manager find;
-
 # systrace support - allow atrace to run
 # debugfs doesn't support labeling individual files, so we have
 # to grant read access to all of /sys/kernel/debug.
@@ -60,8 +57,9 @@
 # allow shell to run dmesg
 allow shell kernel:system syslog_read;
 
-# allow shell to list services
+# allow shell access to services
 allow shell servicemanager:service_manager list;
+allow shell service_manager_type:service_manager find;
 
 # allow shell to look through /proc/ for ps, top
 allow shell domain:dir { search open read getattr };