I am still in permissive mode, I tried to activate the wifi and capture the
denials.
Here they are:
<5>[ 1556.632232] type=1400 audit(1349427775.554:6): avc: denied { create
} for pid=1540 comm="dhcpcd" name="dhcpcd-wlan0.pid" scontext=u:r:dhcp:s0
tcontext=u:object_r:dhcp_data_file:s0 tclass=file
<5>[ 1556.632690] type=1400 audit(1349427775.554:7): avc: denied { write
open } for pid=1540 comm="dhcpcd" name="dhcpcd-wlan0.pid" dev=mmcblk0p12
ino=138475 scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0
tclass=file
<5>[ 1556.632995] type=1400 audit(1349427775.554:8): avc: denied { lock }
for pid=1540 comm="dhcpcd" path="/data/misc/dhcp/dhcpcd-wlan0.pid"
dev=mmcblk0p12 ino=138475 scontext=u:r:dhcp:s0
tcontext=u:object_r:dhcp_data_file:s0 tclass=file
<5>[ 1556.654541] type=1400 audit(1349427775.570:9): avc: denied {
execute_no_trans } for pid=1542 comm="dhcpcd-run-hook"
path="/system/bin/toolbox" dev=mmcblk0p10 ino=216 scontext=u:r:dhcp:s0
tcontext=u:object_r:system_file:s0 tclass=file
<5>[ 1562.647552] type=1400 audit(1349427781.570:10): avc: denied {
create } for pid=380 comm="WifiWatchdogSta" scontext=u:r:system:s0
tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 1562.648071] type=1400 audit(1349427781.570:11): avc: denied { bind
} for pid=380 comm="WifiWatchdogSta" scontext=u:r:system:s0
tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 1562.671142] type=1400 audit(1349427781.593:12): avc: denied { write
} for pid=380 comm="WifiWatchdogSta" scontext=u:r:system:s0
tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 1562.684631] type=1400 audit(1349427781.601:13): avc: denied { read
} for pid=380 comm="WifiWatchdogSta" path="socket:[9671]" dev=sockfs
ino=9671 scontext=u:r:system:s0 tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 1562.697631] type=1400 audit(1349427781.617:14): avc: denied {
getattr } for pid=380 comm="WifiWatchdogSta" path="socket:[9671]"
dev=sockfs ino=9671 scontext=u:r:system:s0 tcontext=u:r:system:s0
tclass=packet_socket
<5>[ 1562.697875] type=1400 audit(1349427781.617:15): avc: denied {
getopt } for pid=380 comm="WifiWatchdogSta" scontext=u:r:system:s0
tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 1569.517761] type=1400 audit(1349427798.658:16): avc: denied {
getsched } for pid=515 comm="Binder_7" scontext=u:r:system:s0
tcontext=u:r:untrusted_app:s0:c55 tclass=process
<5>[ 1569.754669] type=1400 audit(1349427798.892:17): avc: denied { read
} for pid=1632 comm="IntentService[C" name="xt_qtaguid" dev=tmpfs ino=4261
scontext=u:r:untrusted_app:s0:c55 tcontext=u:object_r:qtaguid_device:s0
tclass=chr_file
<5>[ 1569.754852] type=1400 audit(1349427798.892:18): avc: denied { open
} for pid=1632 comm="IntentService[C" name="xt_qtaguid" dev=tmpfs ino=4261
scontext=u:r:untrusted_app:s0:c55 tcontext=u:object_r:qtaguid_device:s0
tclass=chr_file
<5>[ 1569.755432] type=1400 audit(1349427798.892:19): avc: denied { open
} for pid=1632 comm="IntentService[C" name="ctrl" dev=proc ino=4026533142
scontext=u:r:untrusted_app:s0:c55 tcontext=u:object_r:qtaguid_proc:s0
tclass=file
Any suggestions? If I switch in enforcing mode, the phone can't connect to
the wifi network.
Thanks.
On Thu, Oct 4, 2012 at 4:16 PM, Stephen Smalley <[email protected]> wrote:
> On Thu, 2012-10-04 at 16:02 +0200, Alexandra Test wrote:
>
> > <5>[ 357.789520] type=1400 audit(1349358893.156:6): avc: denied
> > { write } for pid=1222 comm="adbd" name="sepolicy.24" dev=mmcblk0p12
> > ino=529432 scontext=u:r:adbd:s0
> > tcontext=u:object_r:system_data_file:s0 tclass=file
> > <5>[ 357.791107] type=1400 audit(1349358893.156:7): avc: denied
> > { open } for pid=1222 comm="adbd" name="sepolicy.24" dev=mmcblk0p12
> > ino=529432 scontext=u:r:adbd:s0
> > tcontext=u:object_r:system_data_file:s0 tclass=file
> > <5>[ 357.809570] type=1400 audit(1349358893.171:8): avc: denied
> > { setattr } for pid=1222 comm="adbd" name="sepolicy.24"
> > dev=mmcblk0p12 ino=529432 scontext=u:r:adbd:s0
> > tcontext=u:object_r:system_data_file:s0 tclass=file
>
> That is to be expected; current policy doesn't allow adbd to write
> to /data/system (system_data_file), so you are seeing denials from the
> adb push command. You can ignore them (just switch to permissive before
> doing the push) or you can allow them under a policy boolean that only
> gets set for development or you can make adbd a permissive domain for
> development (permissive adbd; in adbd.te).
>
> > So I reboot the phone and it stays only the first denials:
> > <5>[ 15.621246] type=1400 audit(1349359031.804:3): avc: denied
> > { getattr } for pid=453 comm="Thread-23" path="/cache/lost+found"
> > dev=mmcblk0p11 ino=11 scontext=u:r:media_app:s0
> > tcontext=u:object_r:unlabeled:s0 tclass=dir
> > <4>[ 20.224578] avc: received policyload notice (seqno=2)
> > <4>[ 20.227508] avc: received policyload notice (seqno=11)
>
> This indicates that the media_app first tried to probe that directory
> before it reloaded policy from /data/system/sepolicy.24. That's ok. To
> completely eliminate the noise, you can just rebuild your boot image and
> reflash it with your updated policy so that it is part of the original
> boot-time policy. But it isn't doing any harm.
>
> Are you doing a 'setprop selinux.reload_policy 1' from your post-fs-data
> section of your init.rc? You need to do that if you want it to always
> load policy from /data/system on each boot.
>
>
Yes, I did.
> BTW, with our latest code, we dropped the policy version suffix on the
> sepolicy file so it is just sepolicy now, not sepolicy.24. Don't know
> which version of the code you are using. Requires an updated libselinux
> and sepolicy.
The build number is : full_maguro-userdebug 4.1.1 JRO03L
eng.root.20120913.142725 test-keys
>
> > To transfer the file I made a adb root, is this the problem?
>
> No.
>
> --
> Stephen Smalley
> National Security Agency
>
>
