9035c70f06
Resolving the following audit denials:
- [ 6.450477] type=1400 audit(1699468821.992:6): avc: denied
{ read } for comm="aocd" name="notify_timeout_aoc_status"
dev="sysfs" ino=78572 scontext=u:r:aocd:s0
tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=0
- type=1107 audit(0.0:9): uid=0 auid=4294967295 ses=4294967295
subj=u:r:init:s0 msg='avc: denied { set } for
property=persist.vendor.aoc.status_request_timed_out
pid=1035 uid=0 gid=0 scontext=u:r:aocd:s0
tcontext=u:object_r:vendor_default_prop:s0
tclass=property_service permissive=0'
(and get for the same node)
Test: on device
Bug: 309950738
Change-Id: I476624a6d95667d47ada765d6fe392eecc615256
Signed-off-by: Alex Iacobucci <alexiacobucci@google.com>
23 lines
638 B
Plaintext
23 lines
638 B
Plaintext
type aocd, domain;
|
|
type aocd_exec, vendor_file_type, exec_type, file_type;
|
|
init_daemon_domain(aocd)
|
|
|
|
# access persist files
|
|
allow aocd mnt_vendor_file:dir search;
|
|
allow aocd persist_file:dir search;
|
|
r_dir_file(aocd, persist_aoc_file);
|
|
|
|
# sysfs operations
|
|
allow aocd sysfs_aoc:dir search;
|
|
allow aocd sysfs_aoc_firmware:file w_file_perms;
|
|
allow aocd sysfs_aoc_notifytimeout:file r_file_perms;
|
|
|
|
# dev operations
|
|
allow aocd aoc_device:chr_file rw_file_perms;
|
|
|
|
# allow inotify to watch for additions/removals from /dev
|
|
allow aocd device:dir r_dir_perms;
|
|
|
|
# set properties
|
|
set_prop(aocd, vendor_aoc_prop)
|
|
set_prop(aocd, vendor_timeout_aoc_prop) |