Allow untrusted_app access to /data/adspd/*
Something has changed in the Motorola enrollment app. Since this
app runs in untrusted_app, we need to grant untrusted_app read-only
access to /data/adspd.
While I'm here, get rid of the auditallow statements. These statements
are designed to detect whether the allow rule is actually being triggered.
It's clear it is. Until we can get around to fixing this, don't generate
unnecessary selinux log messages.
TODO: Revisit putting the Motorola enrollment app into it's own
SELinux domain. Also, we need to remove untrusted apps access to
/dev/socket/adspdsock
Addresses the following denials:
05-15 19:30:40.971 6354 6354 W com.motorola.triggerenroll: type=1400 audit(0.0:68): avc: denied { search } for comm=4453502066772055706461746572 name="adspd" dev="dm-1" ino=261121 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:adspd_data_file:s0 tclass=dir permissive=0
05-15 19:30:40.971 6354 6354 W com.motorola.triggerenroll: type=1400 audit(0.0:69): avc: denied { search } for comm=4453502066772055706461746572 name="adspd" dev="dm-1" ino=261121 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:adspd_data_file:s0 tclass=dir permissive=0
05-15 19:30:40.971 6354 6354 W com.motorola.triggerenroll: type=1400 audit(0.0:70): avc: denied { search } for comm=4453502066772055706461746572 name="adspd" dev="dm-1" ino=261121 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:adspd_data_file:s0 tclass=dir permissive=0
Bug: 20951546
Change-Id: I22fc122b2d22a300e549be4934bd6d12bf366650
2 files changed
