Rewrite mediaserver socket rule using macro. Addresses denials such as: avc: denied { ioctl } for pid=31771 comm="mediaserver" path="socket:[217520]" dev="sockfs" ino=217520 scontext=u:r:mediaserver:s0 tcontext=u:r:mediaserver:s0 tclass=socket We may want to take this to core policy. Change-Id: I633346feac8f16bea15df6924cf9ec856ae95e79 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: dbbd0228a824fd50ca51961ab2a994ae43270290 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Fri Mar 21 13:36:29 2014 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Fri Mar 21 13:36:29 2014 -0400
tree: bd9cdcee2ac5aa88f677e83ddd803d016e70d38d
parent: 6991ec7a25209ef4bd5b3522b3afabbe8eab832f [diff]
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index 7986c23..f82f16d 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te

@@ -4,5 +4,6 @@
 unix_socket_send(mediaserver, camera, camera)
 unix_socket_send(mediaserver, mpdecision, mpdecision)
 
-# Permit mediaserver to create sockets
-allow mediaserver self:socket { read create };
+# Permit mediaserver to create sockets with no specific SELinux class.
+# TODO: Investigate the specific type of socket.
+allow mediaserver self:socket create_socket_perms;
commit	dbbd0228a824fd50ca51961ab2a994ae43270290	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Fri Mar 21 13:36:29 2014 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Fri Mar 21 13:36:29 2014 -0400
tree	bd9cdcee2ac5aa88f677e83ddd803d016e70d38d
parent	6991ec7a25209ef4bd5b3522b3afabbe8eab832f [diff]