It turned out to be a build problem. This is a prototype from an oem and they are providing certain proprietary bits as binaries, and they have messed with the build system (e.g. I can't really do a "make clean" to make sure everything builds).
So I now have a working build. I have generated a custom policy for my device using audit2allow on the avc denials that I was getting on startup. For now, I am just blindly using the output of audit2allow (minus the shell stuff). I realize this is not correct, and will go back and clean it up. Now when I turn on enforcing mode, the device boots without locking up. Which brings me to my next question. Each of the buillt-in apps that I have tried to run (e.g. Clock, Calculator, Calendar) is failing due to AVC denials. Is this expected behavior? On Mon, Sep 24, 2012 at 9:40 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Fri, 2012-09-21 at 17:00 -0400, Cesar Maiorino wrote: >> I don't see any obvious selinux errors in /proc/kmsg (attached), >> although selinux does not complete its initialization. Comparing to my >> other device, it looks like the next log entry (after "Registering >> netfilter hooks") should be loading of the policy, so it is probably >> dying there. >> >> from /proc/kmsg: >> >> [ 0.150556] SELinux: Initializing. >> [ 0.150618] SELinux: Starting in permissive mode >> ... >> [ 0.450602] SELinux: Registering netfilter hooks >> ... >> [ 6.355470] init: do_chown: Could not access /selinux/booleans > > So this suggests that init never loaded policy, as Bill noted. I'd > suggest diffing your init/init.c file between the working version and > this one and looking in particular at any code differences between the > SELinux-related changes. For the 4.0.4 branch, the main() function in > init/init.c should be calling selinux_load_policy() and the first thing > done by selinux_load_policy() is to mkdir /selinux and mount selinuxfs > on it, so if you do not even have a /selinux directory or if it is > empty, then you never even got to the point of trying to load the policy > file. Make sure that selinux_enabled is initialized to 1 by default in > init/init.c. Increase the loglevel in rootdir/init.rc to 6. > > -- > Stephen Smalley > National Security Agency > -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with the words "unsubscribe seandroid-list" without quotes as the message.
