Alexandra Test wrote:
I am still in permissive mode, I tried to activate the wifi and capture
the denials.
There is a patchset on Gerrit to address these denials. I'll clean it up
this weekend and hopefully get it merged.
Here they are:
<5>[ 1556.632232] type=1400 audit(1349427775.554:6): avc: denied {
create } for pid=1540 comm="dhcpcd" name="dhcpcd-wlan0.pid"
scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file
<5>[ 1556.632690] type=1400 audit(1349427775.554:7): avc: denied { write
open } for pid=1540 comm="dhcpcd" name="dhcpcd-wlan0.pid" dev=mmcblk0p12
ino=138475 scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0
tclass=file
<5>[ 1556.632995] type=1400 audit(1349427775.554:8): avc: denied { lock
} for pid=1540 comm="dhcpcd" path="/data/misc/dhcp/dhcpcd-wlan0.pid"
dev=mmcblk0p12 ino=138475 scontext=u:r:dhcp:s0
tcontext=u:object_r:dhcp_data_file:s0 tclass=file
<5>[ 1556.654541] type=1400 audit(1349427775.570:9): avc: denied {
execute_no_trans } for pid=1542 comm="dhcpcd-run-hook"
path="/system/bin/toolbox" dev=mmcblk0p10 ino=216 scontext=u:r:dhcp:s0
tcontext=u:object_r:system_file:s0 tclass=file
<5>[ 1562.647552] type=1400 audit(1349427781.570:10): avc: denied {
create } for pid=380 comm="WifiWatchdogSta" scontext=u:r:system:s0
tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 1562.648071] type=1400 audit(1349427781.570:11): avc: denied { bind
} for pid=380 comm="WifiWatchdogSta" scontext=u:r:system:s0
tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 1562.671142] type=1400 audit(1349427781.593:12): avc: denied {
write } for pid=380 comm="WifiWatchdogSta" scontext=u:r:system:s0
tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 1562.684631] type=1400 audit(1349427781.601:13): avc: denied { read
} for pid=380 comm="WifiWatchdogSta" path="socket:[9671]" dev=sockfs
ino=9671 scontext=u:r:system:s0 tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 1562.697631] type=1400 audit(1349427781.617:14): avc: denied {
getattr } for pid=380 comm="WifiWatchdogSta" path="socket:[9671]"
dev=sockfs ino=9671 scontext=u:r:system:s0 tcontext=u:r:system:s0
tclass=packet_socket
<5>[ 1562.697875] type=1400 audit(1349427781.617:15): avc: denied {
getopt } for pid=380 comm="WifiWatchdogSta" scontext=u:r:system:s0
tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 1569.517761] type=1400 audit(1349427798.658:16): avc: denied {
getsched } for pid=515 comm="Binder_7" scontext=u:r:system:s0
tcontext=u:r:untrusted_app:s0:c55 tclass=process
<5>[ 1569.754669] type=1400 audit(1349427798.892:17): avc: denied { read
} for pid=1632 comm="IntentService[C" name="xt_qtaguid" dev=tmpfs
ino=4261 scontext=u:r:untrusted_app:s0:c55
tcontext=u:object_r:qtaguid_device:s0 tclass=chr_file
<5>[ 1569.754852] type=1400 audit(1349427798.892:18): avc: denied { open
} for pid=1632 comm="IntentService[C" name="xt_qtaguid" dev=tmpfs
ino=4261 scontext=u:r:untrusted_app:s0:c55
tcontext=u:object_r:qtaguid_device:s0 tclass=chr_file
<5>[ 1569.755432] type=1400 audit(1349427798.892:19): avc: denied { open
} for pid=1632 comm="IntentService[C" name="ctrl" dev=proc
ino=4026533142 scontext=u:r:untrusted_app:s0:c55
tcontext=u:object_r:qtaguid_proc:s0 tclass=file
Any suggestions? If I switch in enforcing mode, the phone can't connect
to the wifi network.
Thanks.
On Thu, Oct 4, 2012 at 4:16 PM, Stephen Smalley <[email protected]
<mailto:[email protected]>> wrote:
On Thu, 2012-10-04 at 16:02 +0200, Alexandra Test wrote:
> <5>[ 357.789520] type=1400 audit(1349358893.156:6): avc: denied
> { write } for pid=1222 comm="adbd" name="sepolicy.24" dev=mmcblk0p12
> ino=529432 scontext=u:r:adbd:s0
> tcontext=u:object_r:system_data_file:s0 tclass=file
> <5>[ 357.791107] type=1400 audit(1349358893.156:7): avc: denied
> { open } for pid=1222 comm="adbd" name="sepolicy.24" dev=mmcblk0p12
> ino=529432 scontext=u:r:adbd:s0
> tcontext=u:object_r:system_data_file:s0 tclass=file
> <5>[ 357.809570] type=1400 audit(1349358893.171:8): avc: denied
> { setattr } for pid=1222 comm="adbd" name="sepolicy.24"
> dev=mmcblk0p12 ino=529432 scontext=u:r:adbd:s0
> tcontext=u:object_r:system_data_file:s0 tclass=file
That is to be expected; current policy doesn't allow adbd to write
to /data/system (system_data_file), so you are seeing denials from the
adb push command. You can ignore them (just switch to permissive before
doing the push) or you can allow them under a policy boolean that only
gets set for development or you can make adbd a permissive domain for
development (permissive adbd; in adbd.te).
> So I reboot the phone and it stays only the first denials:
> <5>[ 15.621246] type=1400 audit(1349359031.804:3): avc: denied
> { getattr } for pid=453 comm="Thread-23" path="/cache/lost+found"
> dev=mmcblk0p11 ino=11 scontext=u:r:media_app:s0
> tcontext=u:object_r:unlabeled:s0 tclass=dir
> <4>[ 20.224578] avc: received policyload notice (seqno=2)
> <4>[ 20.227508] avc: received policyload notice (seqno=11)
This indicates that the media_app first tried to probe that directory
before it reloaded policy from /data/system/sepolicy.24. That's ok. To
completely eliminate the noise, you can just rebuild your boot image and
reflash it with your updated policy so that it is part of the original
boot-time policy. But it isn't doing any harm.
Are you doing a 'setprop selinux.reload_policy 1' from your post-fs-data
section of your init.rc? You need to do that if you want it to always
load policy from /data/system on each boot.
Yes, I did.
BTW, with our latest code, we dropped the policy version suffix on the
sepolicy file so it is just sepolicy now, not sepolicy.24. Don't know
which version of the code you are using. Requires an updated libselinux
and sepolicy.
The build number is : full_maguro-userdebug 4.1.1 JRO03L
eng.root.20120913.142725 test-keys
> To transfer the file I made a adb root, is this the problem?
No.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
