!2434 fix: add dmsfwk and dcamera selinux policy

Merge pull request !2434 from hobbycao/master
2025-02-21 13:22:56 +00:00 · 2023-05-31 02:24:09 +00:00 · 2023-05-31 02:24:09 +00:00 · 11bb530645
commit 11bb530645
parent 4d664c758b b687776d5f
3 changed files with 8 additions and 1 deletions
--- a/sepolicy/ohos_policy/distributedhardware/distributed_camera/system/dcamera.te
+++ b/sepolicy/ohos_policy/distributedhardware/distributed_camera/system/dcamera.te
@ -158,6 +158,9 @@ allow dcamera vendor_bin_file:dir { search };
 #avc:  denied  { call } for  pid=571 comm="msdp" scontext=u:r:dcamera:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1
 allow dcamera accesstoken_service:binder { call };

+#avc:  denied  { get } for service=4802 pid=3227 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_foundation_devicemanager_service:s0 tclass=samgr_class permissive=1
+allow dcamera sa_foundation_devicemanager_service:samgr_class { get };
+
 allow dcamera bootevent_param:file { map open read };
 allow dcamera bootevent_samgr_param:file { map open read };
 allow dcamera build_version_param:file { map open read };
--- a/sepolicy/ohos_policy/distributedschedule/distributedsche/system/distributedsche.te
+++ b/sepolicy/ohos_policy/distributedschedule/distributedsche/system/distributedsche.te
@ -66,5 +66,9 @@ allow distributedsche sa_bgtaskmgr:samgr_class { get };
 allow distributedsche sa_memory_manager_service:samgr_class { get };
 #avc:  denied  { call } for  pid=479 comm="DmsComponentCha" scontext=u:r:distributedsche:s0 tcontext=u:r:memmgrservice:s0 tclass=binder permissive=0
 allow distributedsche memmgrservice:binder { call };
+#avc:  denied  { get } for service=402 pid=3055 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_distributed_bundle_mgr_service_service:s0 tclass=samgr_class permissive=1
+allow distributedsche sa_distributed_bundle_mgr_service_service:samgr_class { get };
+#avc:  denied  { call } for  pid=479 comm="continue_manage" scontext=u:r:distributedsche:s0 tcontext=u:r:d-bms:s0 tclass=binder permissive=0
+allow distributedsche d-bms:binder { call };

 neverallow {domain -samgr -distributedsche} sa_distributeschedule:samgr_class { get_remote };
--- a/sepolicy/ohos_policy/distributedschedule/distributedsche/system/softbus_server.te
+++ b/sepolicy/ohos_policy/distributedschedule/distributedsche/system/softbus_server.te
@ -11,6 +11,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-allow softbus_server distributedsche:binder { call };
+allow softbus_server distributedsche:binder { call transfer };
 allow softbus_server normal_hap_attr:binder { call };
 allow softbus_server sa_privacy_service:samgr_class { get };