• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13updater_only(`
14
15#avc: denied { read } for pid=1 comm="init" name="ohos.para.size" dev="rootfs" ino=17448 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
16#avc: denied { getattr } for pid=1 comm="init" path="/etc/selinux/targeted/contexts/file_contexts" dev="rootfs" ino=17429 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
17#avc: denied { open } for pid=1 comm="init" path="/etc/selinux/targeted/contexts/file_contexts" dev="rootfs" ino=17429 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
18#avc: denied { open } for pid=1 comm="init" path="/etc/param/ohos.para.size" dev="rootfs" ino=17448 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
19#avc: denied { execute } for pid=231 comm="init" name="ueventd" dev="rootfs" ino=17717 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
20#avc: denied { execute_no_trans } for pid=233 comm="init" path="/bin/hilog" dev="rootfs" ino=797 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
21#avc: denied { map } for pid=1 comm="init" path="/lib/init/librebootmodule.z.so" dev="rootfs" ino=17620 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
22#avc: denied { map } for pid=235 comm="hilog" path="/bin/hilog" dev="rootfs" ino=17650 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
23#avc: denied { write } for pid=227 comm="hilogd.control" path="/data/log/hilog/.persisterInfo_1.info" dev="rootfs" ino=26950 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
24allow init rootfs:file { getattr read open execute map };
25
26# avc: denied { read } for pid=1 comm="init" name="etc" dev="rootfs" ino=399 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
27# avc: denied { open } for pid=1 comm="init" path="/etc" dev="rootfs" ino=16655 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
28# avc: denied { relabelfrom } for pid=1 comm="init" name="system" dev="rootfs" ino=386 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
29# avc: denied { write } for pid=1 comm="init" name="/" dev="rootfs" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
30# avc: denied { add_name } for pid=1 comm="init" name="config" scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
31# avc: denied { create } for pid=1 comm="init" name="config" scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
32# avc: denied { setattr } for pid=1 comm="init" name="param" dev="rootfs" ino=17987 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1
33# avc:  denied  { relabelto } for  pid=1 comm="init" name="/" dev="tmpfs" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1
34allow init rootfs:dir { read open write relabelfrom add_name create setattr relabelto };
35
36# avc: denied { create } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1
37# avc: denied { setopt } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1
38# avc: denied { bind } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1
39allow init ueventd:netlink_kobject_uevent_socket { create setopt bind };
40
41# avc: denied { relabelto } for pid=1 comm="init" name="system" dev="rootfs" ino=17408 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
42# avc: denied { read } for pid=1 comm="init" name="system" dev="rootfs" ino=17408 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
43# avc: denied { open } for pid=1 comm="init" path="/system" dev="rootfs" ino=17408 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
44# avc:  denied  { getattr } for  pid=1 comm="init" path="/system" dev="rootfs" ino=17413 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
45allow init system_file:dir { read open relabelto getattr };
46
47# avc: denied { associate } for pid=1 comm="init" name="system" dev="rootfs" ino=17408 scontext=u:object_r:system_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
48allow system_file rootfs:filesystem { associate };
49
50#avc: denied { relabelfrom } for pid=1 comm="init" name="bin" dev="rootfs" ino=2032 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1
51allow init rootfs:lnk_file { relabelfrom };
52
53#avc: denied { relabelto } for pid=1 comm="init" name="bin" dev="rootfs" ino=2032 scontext=u:r:init:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1
54# avc:  denied  { getattr } for  pid=1 comm="init" path="/system/bin" dev="rootfs" ino=17417 scontext=u:r:init:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1
55allow init system_bin_file:lnk_file { relabelto getattr };
56
57#avc: denied { associate } for pid=1 comm="init" name="bin" dev="rootfs" ino=2032 scontext=u:object_r:system_bin_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
58allow system_bin_file rootfs:filesystem { associate };
59
60#avc: denied { relabelto } for pid=1 comm="init" name="lib" dev="rootfs" ino=2031 scontext=u:r:init:s0 tcontext=u:object_r:system_lib_file:s0 tclass=lnk_file permissive=1
61# avc:  denied  { getattr } for  pid=1 comm="init" path="/system/lib" dev="rootfs" ino=17416 scontext=u:r:init:s0 tcontext=u:object_r:system_lib_file:s0 tclass=lnk_file permissive=1
62allow init system_lib_file:lnk_file { relabelto getattr };
63
64#avc: denied { associate } for pid=1 comm="init" name="lib" dev="rootfs" ino=2031 scontext=u:object_r:system_lib_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
65allow system_lib_file rootfs:filesystem { associate };
66
67#avc: denied { relabelto } for pid=1 comm="init" name="etc" dev="rootfs" ino=2030 scontext=u:r:init:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1
68#avc: denied { read } for pid=235 comm="hilog" name="etc" dev="rootfs" ino=17415 scontext=u:r:init:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1
69# avc:  denied  { getattr } for  pid=1 comm="init" path="/system/etc" dev="rootfs" ino=17415 scontext=u:r:init:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1
70allow init system_etc_file:lnk_file { relabelto read getattr };
71
72#avc: denied { associate } for pid=1 comm="init" name="etc" dev="rootfs" ino=2030 scontext=u:object_r:system_etc_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
73allow system_etc_file rootfs:filesystem { associate };
74
75#avc: denied { read } for pid=1 comm="init" name="vendor" dev="rootfs" ino=16661 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1
76#avc: denied { open } for pid=1 comm="init" path="/vendor" dev="rootfs" ino=16661 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1
77#avc: denied { relabelto } for pid=1 comm="init" name="vendor" dev="rootfs" ino=2038 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1
78# avc:  denied  { getattr } for  pid=1 comm="init" path="/vendor" dev="rootfs" ino=17423 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1
79allow init vendor_file:dir { relabelto read open getattr };
80
81#avc: denied { associate } for pid=1 comm="init" name="vendor" dev="rootfs" ino=16661 scontext=u:object_r:vendor_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
82allow vendor_file rootfs:filesystem { associate };
83
84
85#avc: denied { associate } for pid=1 comm="init" name="data" dev="rootfs" ino=20555 scontext=u:object_r:data_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
86allow data_file rootfs:filesystem { associate };
87
88#avc: denied { mount } for pid=1 comm="init" name="/" dev="tmpfs" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=1
89allow init tmpfs:filesystem { mount };
90
91#avc: denied { associate } for pid=1 comm="init" name="log" dev="rootfs" ino=20558 scontext=u:object_r:data_log:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
92allow data_log rootfs:filesystem { associate };
93
94#avc: denied { associate } for pid=1 comm="init" name="hilog" dev="rootfs" ino=20559 scontext=u:object_r:data_hilogd_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
95allow data_hilogd_file rootfs:filesystem { associate };
96
97#avc: denied { relabelto } for pid=1 comm="init" name="config" dev="rootfs" ino=20592 scontext=u:r:init:s0 tcontext=u:object_r:config_file:s0 tclass=dir permissive=1
98#avc: denied { read } for pid=1 comm="init" name="config" dev="rootfs" ino=20592 scontext=u:r:init:s0 tcontext=u:object_r:config_file:s0 tclass=dir permissive=1
99#avc: denied { open } for pid=1 comm="init" path="/config" dev="rootfs" ino=20592 scontext=u:r:init:s0 tcontext=u:object_r:config_file:s0 tclass=dir permissive=1
100#avc: denied { setattr } for pid=1 comm="init" name="config" dev="rootfs" ino=20592 scontext=u:r:init:s0 tcontext=u:object_r:config_file:s0 tclass=dir permissive=1
101allow init config_file:dir { relabelto read open setattr };
102
103#avc: denied { associate } for pid=1 comm="init" name="config" dev="rootfs" ino=20592 scontext=u:object_r:config_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
104allow config_file rootfs:filesystem { associate };
105
106#avc: denied { getattr } for pid=1 comm="init" path="/config/usb_gadget/g1/os_desc/b.1" dev="configfs" ino=20701 scontext=u:r:init:s0 tcontext=u:object_r:configfs:s0 tclass=lnk_file permissive=1
107allow init configfs:lnk_file { getattr };
108
109#avc: denied { read } for pid=1 comm="init" name="/" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1
110#avc: denied { open } for pid=1 comm="init" path="/dev/usb-ffs/hdc" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1
111#avc: denied { search } for pid=1 comm="init" name="/" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1
112#avc: denied { setattr } for pid=1 comm="init" name="/" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1
113#avc: denied { mounton } for pid=1 comm="init" path="/dev/usb-ffs/hdc" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1
114allow init functionfs:dir { read open search setattr mounton };
115
116#avc: denied { getattr } for pid=1 comm="init" path="/dev/usb-ffs/hdc/ep0" dev="functionfs" ino=19955 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1
117allow init functionfs:file { getattr };
118
119#avc: denied { transition } for pid=234 comm="init" path="/bin/updater" dev="rootfs" ino=17825 scontext=u:r:init:s0 tcontext=u:r:updater:s0 tclass=process permissive=1
120#avc: denied { rlimitinh } for pid=234 comm="updater" scontext=u:r:init:s0 tcontext=u:r:updater:s0 tclass=process permissive=1
121#avc: denied { siginh } for pid=234 comm="updater" scontext=u:r:init:s0 tcontext=u:r:updater:s0 tclass=process permissive=1
122allow init updater:process { transition rlimitinh siginh };
123
124#avc: denied { open } for pid=236 comm="hilog" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:init:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
125#avc: denied { map } for pid=235 comm="hilog" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:init:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
126allow init musl_param:file { open map };
127
128#avc: denied { write } for pid=234 comm="hilog" name="hilogControl" dev="tmpfs" ino=67 scontext=u:r:init:s0 tcontext=u:object_r:hilog_control_socket:s0 tclass=sock_file permissive=1
129allow init hilog_control_socket:sock_file { write };
130
131#avc: denied { connectto } for pid=234 comm="hilog" path="/dev/unix/socket/hilogControl" scontext=u:r:init:s0 tcontext=u:r:hilogd:s0 tclass=unix_stream_socket permissive=1
132allow init hilogd:unix_stream_socket { connectto };
133
134#avc: denied { ioctl } for pid=234 comm="hilog" path="/dev/console" dev="rootfs" ino=16652 ioctlcmd=0x5413 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
135#avc: denied { write } for pid=234 comm="hilog" path="/dev/console" dev="rootfs" ino=16652 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
136allow init rootfs:chr_file { ioctl write };
137allowxperm init rootfs:chr_file ioctl { 0x5413 };
138
139# avc: denied { read } for pid=1 comm="init" name="misc" dev="tmpfs" ino=133 scontext=u:r:init:s0 tcontext=u:object_r:dev_file:s0 tclass=lnk_file permissive=1
140allow init dev_file:lnk_file { read };
141
142#avc: denied { relabelto } for pid=1 comm="init" name="lib64" dev="rootfs" ino=18269 scontext=u:r:init:s0 tcontext=u:object_r:vendor_lib_file:s0 tclass=lnk_file permissive=0
143# avc:  denied  { getattr } for  pid=1 comm="init" path="/vendor/lib64" dev="rootfs" ino=17424 scontext=u:r:init:s0 tcontext=u:object_r:vendor_lib_file:s0 tclass=lnk_file permissive=1
144allow init vendor_lib_file:lnk_file { relabelto getattr };
145
146#avc: denied { associate } for pid=1 comm="init" name="lib64" dev="rootfs" ino=395 scontext=u:object_r:vendor_lib_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=0
147allow vendor_lib_file rootfs:filesystem { associate };
148
149#avc: denied { mount } for pid=1 comm="init" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:exfat:s0 tclass=filesystem permissive=0
150allow init exfat:filesystem { mount };
151
152# avc: denied { mounton } for pid=1 comm="init" path="/sdcard" dev="mmcblk1p1" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0
153allow init exfat:dir { mounton };
154
155#avc: denied { execute_no_trans } for pid=234 comm="init" path="/bin/hilog" dev="rootfs" ino=19711 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
156allow init rootfs:file { execute_no_trans };
157
158# avc:  denied  { getattr } for  pid=238 comm="init" path="/data/log/hilog/.persisterInfo_2" dev="rootfs" ino=27803 scontext=u:r:init:s0 tcontext=u:object_r:data_hilogd_file:s0 tclass=file permissive=1
159# avc:  denied  { relabelto } for  pid=238 comm="init" name=".persisterInfo_2" dev="rootfs" ino=27803 scontext=u:r:init:s0 tcontext=u:object_r:data_hilogd_file:s0 tclass=file permissive=1
160allow init data_hilogd_file:file { getattr relabelto };
161
162# avc:  denied  { getattr } for  pid=1 comm="init" path="/proc/235/status" dev="proc" ino=27295 scontext=u:r:init:s0 tcontext=u:r:updater:s0 tclass=file permissive=1
163allow init updater:file { getattr };
164
165# avc: denied { relabelfrom } for pid=237 comm="init" name=".persisterInfo_1" dev="rootfs" ino=28034 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
166allow init rootfs:file { relabelfrom };
167')
168