Rewrite mediaserver socket rule using macro. Addresses denials such as: avc: denied { ioctl } for pid=31771 comm="mediaserver" path="socket:[217520]" dev="sockfs" ino=217520 scontext=u:r:mediaserver:s0 tcontext=u:r:mediaserver:s0 tclass=socket Change-Id: Iecae88d88b5fbc1ff348077b8bb926b835fda2e5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: aee14432800280cf4a44610420f9fe06f11f5aa1 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Fri Mar 21 13:38:10 2014 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Fri Mar 21 13:38:10 2014 -0400
tree: b1ea3f635a52dfe384df665645ec59e89daf2e91
parent: 60a9d6e0e5ce35f3b17ac6c0f9930b6de6427c2e [diff]
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index 2183efb..61d68d6 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te

@@ -3,5 +3,6 @@
 
 unix_socket_send(mediaserver, camera, camera)
 
-# Permit mediaserver to create sockets
-allow mediaserver self:socket create;
+# Permit mediaserver to create sockets with no specific SELinux class.
+# TODO: Investigate the specific type of socket.
+allow mediaserver self:socket create_socket_perms;
commit	aee14432800280cf4a44610420f9fe06f11f5aa1	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Fri Mar 21 13:38:10 2014 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Fri Mar 21 13:38:10 2014 -0400
tree	b1ea3f635a52dfe384df665645ec59e89daf2e91
parent	60a9d6e0e5ce35f3b17ac6c0f9930b6de6427c2e [diff]