android_system_sepolicy/healthd.te

# healthd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type healthd, domain;
type healthd_exec, exec_type, file_type;

init_daemon_domain(healthd)
allow healthd rootfs:file { read entrypoint };
write_klog(healthd)

allow healthd self:capability { net_admin mknod };
allow healthd self:capability2 block_suspend;
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
binder_use(healthd)
binder_call(healthd, system_server)

# Workaround for 0x10 / block_suspend capability2 denials.
# Requires a kernel patch to fix properly.
permissive healthd;
healthd: add sepolicy Change-Id: Ic0351c69d67aa3a6f71f505408c53d642626ebb4 2013-06-03 14:09:54 -07:00			`# healthd seclabel is specified in init.rc since`
			`# it lives in the rootfs and has no unique file type.`
			`type healthd, domain;`
			`type healthd_exec, exec_type, file_type;`

			`init_daemon_domain(healthd)`
Confine healthd, but leave it permissive for now. Remove unconfined_domain() and add the allow rules required for operation of healthd. Restore the permissive declaration until I8a3e0db15ec5f4eb05d455a57e8446a8c2b484c2 is applied to the 3.4 kernel. Resolves the following denials in 4.4: type=1400 audit(1383590167.750:14): avc: denied { read } for pid=49 comm="healthd" path="/sbin/healthd" dev="rootfs" ino=1232 scontext=u:r:healthd:s0 tcontext=u:object_r:rootfs:s0 tclass=file type=1400 audit(1383590167.750:15): avc: denied { mknod } for pid=49 comm="healthd" capability=27 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability type=1400 audit(1383590167.750:16): avc: denied { create } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590167.750:17): avc: denied { setopt } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590167.750:17): avc: denied { net_admin } for pid=49 comm="healthd" capability=12 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability type=1400 audit(1383590167.750:18): avc: denied { bind } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket shell@generic:/ $ type=1400 audit(1383590168.800:21): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder type=1400 audit(1383590168.800:22): avc: denied { transfer } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder type=1400 audit(1383590168.800:23): avc: denied { 0x10 } for pid=49 comm="healthd" capability=36 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability2 type=1400 audit(1383590168.800:24): avc: denied { read } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590212.320:161): avc: denied { call } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder type=1400 audit(1383590212.320:161): avc: denied { transfer } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder type=1400 audit(1383590212.320:162): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder type=1400 audit(1383590275.930:463): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder Change-Id: Iacd058edfa1e913a8f24ce8937d2d76c928d6740 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-11-04 06:53:46 -08:00			`allow healthd rootfs:file { read entrypoint };`
healthd: add sepolicy Change-Id: Ic0351c69d67aa3a6f71f505408c53d642626ebb4 2013-06-03 14:09:54 -07:00			`write_klog(healthd)`

Confine healthd, but leave it permissive for now. Remove unconfined_domain() and add the allow rules required for operation of healthd. Restore the permissive declaration until I8a3e0db15ec5f4eb05d455a57e8446a8c2b484c2 is applied to the 3.4 kernel. Resolves the following denials in 4.4: type=1400 audit(1383590167.750:14): avc: denied { read } for pid=49 comm="healthd" path="/sbin/healthd" dev="rootfs" ino=1232 scontext=u:r:healthd:s0 tcontext=u:object_r:rootfs:s0 tclass=file type=1400 audit(1383590167.750:15): avc: denied { mknod } for pid=49 comm="healthd" capability=27 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability type=1400 audit(1383590167.750:16): avc: denied { create } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590167.750:17): avc: denied { setopt } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590167.750:17): avc: denied { net_admin } for pid=49 comm="healthd" capability=12 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability type=1400 audit(1383590167.750:18): avc: denied { bind } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket shell@generic:/ $ type=1400 audit(1383590168.800:21): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder type=1400 audit(1383590168.800:22): avc: denied { transfer } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder type=1400 audit(1383590168.800:23): avc: denied { 0x10 } for pid=49 comm="healthd" capability=36 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability2 type=1400 audit(1383590168.800:24): avc: denied { read } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590212.320:161): avc: denied { call } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder type=1400 audit(1383590212.320:161): avc: denied { transfer } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder type=1400 audit(1383590212.320:162): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder type=1400 audit(1383590275.930:463): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder Change-Id: Iacd058edfa1e913a8f24ce8937d2d76c928d6740 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-11-04 06:53:46 -08:00			`allow healthd self:capability { net_admin mknod };`
			`allow healthd self:capability2 block_suspend;`
			`allow healthd self:netlink_kobject_uevent_socket create_socket_perms;`
			`binder_use(healthd)`
			`binder_call(healthd, system_server)`
healthd: add sepolicy Change-Id: Ic0351c69d67aa3a6f71f505408c53d642626ebb4 2013-06-03 14:09:54 -07:00
Confine healthd, but leave it permissive for now. Remove unconfined_domain() and add the allow rules required for operation of healthd. Restore the permissive declaration until I8a3e0db15ec5f4eb05d455a57e8446a8c2b484c2 is applied to the 3.4 kernel. Resolves the following denials in 4.4: type=1400 audit(1383590167.750:14): avc: denied { read } for pid=49 comm="healthd" path="/sbin/healthd" dev="rootfs" ino=1232 scontext=u:r:healthd:s0 tcontext=u:object_r:rootfs:s0 tclass=file type=1400 audit(1383590167.750:15): avc: denied { mknod } for pid=49 comm="healthd" capability=27 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability type=1400 audit(1383590167.750:16): avc: denied { create } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590167.750:17): avc: denied { setopt } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590167.750:17): avc: denied { net_admin } for pid=49 comm="healthd" capability=12 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability type=1400 audit(1383590167.750:18): avc: denied { bind } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket shell@generic:/ $ type=1400 audit(1383590168.800:21): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder type=1400 audit(1383590168.800:22): avc: denied { transfer } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder type=1400 audit(1383590168.800:23): avc: denied { 0x10 } for pid=49 comm="healthd" capability=36 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability2 type=1400 audit(1383590168.800:24): avc: denied { read } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590212.320:161): avc: denied { call } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder type=1400 audit(1383590212.320:161): avc: denied { transfer } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder type=1400 audit(1383590212.320:162): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder type=1400 audit(1383590275.930:463): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder Change-Id: Iacd058edfa1e913a8f24ce8937d2d76c928d6740 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-11-04 06:53:46 -08:00			`# Workaround for 0x10 / block_suspend capability2 denials.`
			`# Requires a kernel patch to fix properly.`
			`permissive healthd;`