* Patches to target denies of GpsLocationProvider and media_app over mtp_device
@ 2012-07-11 22:39 hqjiang
2012-07-11 22:39 ` [PATCH] Correct the denies of android.process.media when accessing to mtp_device hqjiang
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: hqjiang @ 2012-07-11 22:39 UTC (permalink / raw)
To: selinux; +Cc: sds, bill.c.roberts
One thing should be paid attentions here:
We add a new entry of "user=app_* name=android.process.media domain=media_app levelFromUid=true" to seapp_context file.
One would say it's nonecessary because there's already one policy "user=app_* seinfo=media domain=media_app levelFromUid=true".
But the thing is that the seinfo of "android.process.media" is not media.
If you have better ideas, pleae let us know. And we can resubmit the refined patches later.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] Correct the denies of android.process.media when accessing to mtp_device
2012-07-11 22:39 Patches to target denies of GpsLocationProvider and media_app over mtp_device hqjiang
@ 2012-07-11 22:39 ` hqjiang
2012-07-12 13:35 ` Stephen Smalley
2012-07-11 22:39 ` [PATCH] GPSLocation Provider needs socket connection hqjiang
2012-07-12 10:13 ` Patches to target denies of GpsLocationProvider and media_app over mtp_device Robert Craig
2 siblings, 1 reply; 6+ messages in thread
From: hqjiang @ 2012-07-11 22:39 UTC (permalink / raw)
To: selinux; +Cc: sds, bill.c.roberts, hqjiang
---
seapp_contexts | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/seapp_contexts b/seapp_contexts
index 502206a..1e98f91 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -38,3 +38,4 @@ user=app_* seinfo=shared domain=shared_app levelFromUid=true
user=app_* seinfo=media domain=media_app levelFromUid=true
user=app_* seinfo=release domain=release_app levelFromUid=true
user=app_* seinfo=release name=com.android.browser domain=browser_app levelFromUid=true
+user=app_* name=android.process.media domain=media_app levelFromUid=true
--
1.7.0.4
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] GPSLocation Provider needs socket connection
2012-07-11 22:39 Patches to target denies of GpsLocationProvider and media_app over mtp_device hqjiang
2012-07-11 22:39 ` [PATCH] Correct the denies of android.process.media when accessing to mtp_device hqjiang
@ 2012-07-11 22:39 ` hqjiang
2012-07-12 13:36 ` Stephen Smalley
2012-07-12 10:13 ` Patches to target denies of GpsLocationProvider and media_app over mtp_device Robert Craig
2 siblings, 1 reply; 6+ messages in thread
From: hqjiang @ 2012-07-11 22:39 UTC (permalink / raw)
To: selinux; +Cc: sds, bill.c.roberts, hqjiang
---
system.te | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/system.te b/system.te
index 1a94c75..f35e9a2 100644
--- a/system.te
+++ b/system.te
@@ -192,3 +192,6 @@ allow system domain:file r_file_perms;
# to uart driver and ctrl proc entry
allow system gps_device:chr_file rw_file_perms;
allow system gps_control:file rw_file_perms;
+
+# GpsLocationProvider Connection
+allow system rild:unix_stream_socket connectto;
--
1.7.0.4
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: Patches to target denies of GpsLocationProvider and media_app over mtp_device
2012-07-11 22:39 Patches to target denies of GpsLocationProvider and media_app over mtp_device hqjiang
2012-07-11 22:39 ` [PATCH] Correct the denies of android.process.media when accessing to mtp_device hqjiang
2012-07-11 22:39 ` [PATCH] GPSLocation Provider needs socket connection hqjiang
@ 2012-07-12 10:13 ` Robert Craig
2 siblings, 0 replies; 6+ messages in thread
From: Robert Craig @ 2012-07-12 10:13 UTC (permalink / raw)
To: hqjiang; +Cc: selinux, sds, bill.c.roberts
[-- Attachment #1: Type: text/plain, Size: 1381 bytes --]
What branch are you on? I have a build of master that
has android.process.media labeled as
u:r:media_app:s0:c10
which would suggest to me that the seinfo string is media. If
your android.process.media is
not being labeled as media that what is its label. There was a brief period
on the master
branch that the mac_permissions.xml file was wrong because of some updates
on
Jelly Bean permissions needed by some of the apps. Specifically the
MediaProvider.
Are you seeing any "MMAC_DENIAL" messages in logcat for any media apps
during
install?
I would try to re-sync on master and see what happens.
On Wed, Jul 11, 2012 at 6:39 PM, hqjiang <hqjiang1988@gmail.com> wrote:
> One thing should be paid attentions here:
> We add a new entry of "user=app_* name=android.process.media
> domain=media_app levelFromUid=true" to seapp_context file.
> One would say it's nonecessary because there's already one policy
> "user=app_* seinfo=media domain=media_app levelFromUid=true".
> But the thing is that the seinfo of "android.process.media" is not media.
>
> If you have better ideas, pleae let us know. And we can resubmit the
> refined patches later.
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
> the words "unsubscribe selinux" without quotes as the message.
>
[-- Attachment #2: Type: text/html, Size: 1932 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Correct the denies of android.process.media when accessing to mtp_device
2012-07-11 22:39 ` [PATCH] Correct the denies of android.process.media when accessing to mtp_device hqjiang
@ 2012-07-12 13:35 ` Stephen Smalley
0 siblings, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2012-07-12 13:35 UTC (permalink / raw)
To: hqjiang; +Cc: selinux, bill.c.roberts
On Wed, 2012-07-11 at 15:39 -0700, hqjiang wrote:
> ---
> seapp_contexts | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/seapp_contexts b/seapp_contexts
> index 502206a..1e98f91 100644
> --- a/seapp_contexts
> +++ b/seapp_contexts
> @@ -38,3 +38,4 @@ user=app_* seinfo=shared domain=shared_app levelFromUid=true
> user=app_* seinfo=media domain=media_app levelFromUid=true
> user=app_* seinfo=release domain=release_app levelFromUid=true
> user=app_* seinfo=release name=com.android.browser domain=browser_app levelFromUid=true
> +user=app_* name=android.process.media domain=media_app levelFromUid=true
android.process.media was correctly labeled for us on the Xoom. Need to
track down the real cause of the problem (if it persists after a
re-sync), not just hide it via configuration.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] GPSLocation Provider needs socket connection
2012-07-11 22:39 ` [PATCH] GPSLocation Provider needs socket connection hqjiang
@ 2012-07-12 13:36 ` Stephen Smalley
0 siblings, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2012-07-12 13:36 UTC (permalink / raw)
To: hqjiang; +Cc: selinux, bill.c.roberts
On Wed, 2012-07-11 at 15:39 -0700, hqjiang wrote:
> ---
> system.te | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/system.te b/system.te
> index 1a94c75..f35e9a2 100644
> --- a/system.te
> +++ b/system.te
> @@ -192,3 +192,6 @@ allow system domain:file r_file_perms;
> # to uart driver and ctrl proc entry
> allow system gps_device:chr_file rw_file_perms;
> allow system gps_control:file rw_file_perms;
> +
> +# GpsLocationProvider Connection
> +allow system rild:unix_stream_socket connectto;
This should be written using the unix_socket_connect() macro, which
takes three arguments: clientdomain, sockettype, serverdomain. What
type is assigned to the socket file?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-07-12 13:36 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-11 22:39 Patches to target denies of GpsLocationProvider and media_app over mtp_device hqjiang
2012-07-11 22:39 ` [PATCH] Correct the denies of android.process.media when accessing to mtp_device hqjiang
2012-07-12 13:35 ` Stephen Smalley
2012-07-11 22:39 ` [PATCH] GPSLocation Provider needs socket connection hqjiang
2012-07-12 13:36 ` Stephen Smalley
2012-07-12 10:13 ` Patches to target denies of GpsLocationProvider and media_app over mtp_device Robert Craig
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.