From bd627e8b90b15b52fd570f67038f2e635913bf04 Mon Sep 17 00:00:00 2001 From: Paul Crowley Date: Mon, 9 Sep 2019 13:45:38 -0700 Subject: [PATCH] msm8974-common: sepolicy: allow tee system_data_root_file:dir r_dir_perms; aosp/1106014 introduces a new class system_data_root_file and tee needs access to that as well as system_data_file. 09-09 20:26:53.639 645 645 I auditd : type=1400 audit(0.0:9): avc: denied { read } for comm="qseecomd" name="/" dev="dm-2" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_root_file:s0 tclass=dir permissive=1 09-09 20:26:53.639 645 645 I qseecomd: type=1400 audit(0.0:9): avc: denied { read } for name="/" dev="dm-2" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_root_file:s0 tclass=dir permissive=1 09-09 20:26:53.639 645 645 I auditd : type=1400 audit(0.0:10): avc: denied { open } for comm="qseecomd" path="/data" dev="dm-2" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_root_file:s0 tclass=dir permissive=1 09-09 20:26:53.639 645 645 I qseecomd: type=1400 audit(0.0:10): avc: denied { open } for path="/data" dev="dm-2" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_root_file:s0 tclass=dir permissive=1 Bug: 140402208 Test: Flash Taimen device, enroll fingerprint, check log for denials Change-Id: Ie976d7bbe4aeba875b96b6b82a94734b71ba1cb9 --- sepolicy/common/tee.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 sepolicy/common/tee.te diff --git a/sepolicy/common/tee.te b/sepolicy/common/tee.te new file mode 100644 index 0000000..0db0a8e --- /dev/null +++ b/sepolicy/common/tee.te @@ -0,0 +1 @@ +allow tee system_data_root_file:dir r_dir_perms;