lucky1928
Reputation: 8879
android - selinux avc denial rule not work
I work on android 11 device and got below avc denial:
avc: denied { write } for name="wake_lock" dev="sysfs" ino=15207 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file permissive=0 app=com.sample.demo
I add below rule to pri_app.te:
allow priv_app sysfs_wake_lock:file { write };
But it doesn't work, then I search it from google and someone said need to add mlstrustedsubject attribute since it's a MLS rulte!
But aosp code add a neverallow rule in system priv_app.te so build will failure:
neverallow priv_app mlstrustedsubject:process fork;
What's correct way to fix this selinux issue?
Upvotes: 1
Views: 1164
Answers (1)
darren_qi
Reputation: 24
add mlstrustedobject check for sysfs_wake_lock;
type sysfs_wake_lock, fs_type, sysfs_type,mlstrustedobject;
or
typeattribute sysfs_wake_lock mlstrustedobject;
Upvotes: 1
Related Questions
- avc denied transition on deamon
- Stop SE Linux from Enforcing on Android AOSP
- avc denied even with proper policy added
- Add "allow" rule for selinux (Android)
- How to disable SELinux competely in android
- Why is this access denied by SELinux
- My custom selinux policies seem to be ignored by android system
- Android Read file denied by SELinux
- Fix Android SELinux rules
- Disabling SELinux in Android 5.0.1