openharmony/security_selinux
1
0
Fork 0
mirror of https://gitee.com/openharmony/security_selinux synced 2025-02-20 12:50:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add storage_daemon relabel fuse mountpoint selinux policy

Browse Source 
Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
Change-Id: I22ed6cf1198bfac147ad09f669821e9b938acd88
This commit is contained in:
ChenXiaoSong 2023-05-22 11:12:29 +08:00 committed by ChenXiaoSong
parent 3a38899dc3
commit e001ce8a27
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sepolicy/base/public/domain.te
View File

@ -210,8 +210,8 @@ neverallow domain *:filesystem ~{ getattr mount remount unmount relabelfrom rela
neverallow { domain -init -storage_daemon -appspawn -netsysnative updater_only(`-updater')} *:filesystem mount;
neverallow { domain -init debug_only(`-hdcd') } *:filesystem remount;
neverallow { domain -init -storage_daemon debug_only(`-hdcd') -appspawn -nwebspawn updater_only(`-updater')} *:filesystem unmount;
neverallow { domain -init } *:filesystem relabelfrom;
neverallow { domain -init } *:filesystem relabelto;
neverallow { domain -init -storage_daemon } *:filesystem relabelfrom;
neverallow { domain -init -storage_daemon } *:filesystem relabelto;
neverallow { domain -storage_daemon } *:filesystem quotaget;
neverallow { domain -storage_daemon } *:filesystem quotamod;

6
sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te
View File

@ -261,3 +261,9 @@ allow storage_daemon dev_console_file:chr_file { read write };
allow storage_daemon musl_param:file { open read map};
allow storage_daemon sa_filemanagement_cloud_daemon_service:samgr_class { get };
allow storage_daemon sa_ca_daemon_service:samgr_class { get };
# avc: denied { relabelfrom } for pid=250 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=1
# avc: denied { relabelto } for pid=250 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:hmdfs:s0 tclass=filesystem permissive=1
# avc: denied { relabelfrom } for pid=253 comm="IPC_1_271" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:hmdfs:s0 tclass=filesystem permissive=0
allow storage_daemon unlabeled:filesystem { relabelfrom };
allow storage_daemon hmdfs:filesystem { relabelfrom relabelto };