a15f249346
/dev/teei_fp is used by fingerprint to communicate with Microtrust TEE drivers to
store fingerprint data on the device. Label it and allow relevant source required
permissions.
Denial observed without this change:
[ 17.672144] .(4)[397:logd.auditd]type=1400 audit(1608975801.860:326): avc: denied { ioctl } for comm="fingerprint@2.1" path="/dev/teei_fp" dev="tmpfs" ino=15742 ioctlcmd=0x5402 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
Test: Boot and notice denials have disappeared
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I8a7445400be241e81f8bf21347967b85381ed3ec
SELinux policy for MediaTek devices
Don't recurse into the platform makefiles. We don't care about them, and we
don't want to force a reset of BOARD_SEPOLICY_DIRS.
If you want to use these policies, add a
include device/mediatek/sepolicy/sepolicy.mk
to your device's BoardConfig. It is highly recommended that in case you have
your own BOARD_SEPOLICY_DIRS declaration, the inclusion happens before
those lines
Repository Details
This repository uses device/mediatek/wembley-sepolicy as base till 4769fb0d973bf079934054c6c5423ca06d67010a.
After that Google's device-specific changes starts.
Till 4769fb0d973bf079934054c6c5423ca06d67010a, this repository is similar to
the basic sepolicy repository provided by MediaTek to the OEMs.