Rewrite mediaserver socket rule using macro.
Addresses denials such as:
avc: denied { ioctl } for pid=31771 comm="mediaserver" path="socket:[217520]" dev="sockfs" ino=217520 scontext=u:r:mediaserver:s0 tcontext=u:r:mediaserver:s0 tclass=socket
We may want to take this to core policy.
Change-Id: I633346feac8f16bea15df6924cf9ec856ae95e79
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index 7986c23..f82f16d 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -4,5 +4,6 @@
unix_socket_send(mediaserver, camera, camera)
unix_socket_send(mediaserver, mpdecision, mpdecision)
-# Permit mediaserver to create sockets
-allow mediaserver self:socket { read create };
+# Permit mediaserver to create sockets with no specific SELinux class.
+# TODO: Investigate the specific type of socket.
+allow mediaserver self:socket create_socket_perms;