On Fri, 2012-10-05 at 11:28 +0200, Alexandra Test wrote:
> I am still in permissive mode, I tried to activate the wifi and
> capture the denials.
> Here they are:
> <5>[ 1556.632232] type=1400 audit(1349427775.554:6): avc: denied
> { create } for pid=1540 comm="dhcpcd" name="dhcpcd-wlan0.pid"
> scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file
> <5>[ 1556.632690] type=1400 audit(1349427775.554:7): avc: denied
> { write open } for pid=1540 comm="dhcpcd" name="dhcpcd-wlan0.pid"
> dev=mmcblk0p12 ino=138475 scontext=u:r:dhcp:s0
> tcontext=u:object_r:dhcp_data_file:s0 tclass=file
> <5>[ 1556.632995] type=1400 audit(1349427775.554:8): avc: denied
> { lock } for pid=1540 comm="dhcpcd"
> path="/data/misc/dhcp/dhcpcd-wlan0.pid" dev=mmcblk0p12 ino=138475
> scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file
> <5>[ 1556.654541] type=1400 audit(1349427775.570:9): avc: denied
> { execute_no_trans } for pid=1542 comm="dhcpcd-run-hook"
> path="/system/bin/toolbox" dev=mmcblk0p10 ino=216 scontext=u:r:dhcp:s0
> tcontext=u:object_r:system_file:s0 tclass=file
> <5>[ 1562.647552] type=1400 audit(1349427781.570:10): avc: denied
> { create } for pid=380 comm="WifiWatchdogSta" scontext=u:r:system:s0
> tcontext=u:r:system:s0 tclass=packet_socket
> <5>[ 1562.648071] type=1400 audit(1349427781.570:11): avc: denied
> { bind } for pid=380 comm="WifiWatchdogSta" scontext=u:r:system:s0
> tcontext=u:r:system:s0 tclass=packet_socket
> <5>[ 1562.671142] type=1400 audit(1349427781.593:12): avc: denied
> { write } for pid=380 comm="WifiWatchdogSta" scontext=u:r:system:s0
> tcontext=u:r:system:s0 tclass=packet_socket
> <5>[ 1562.684631] type=1400 audit(1349427781.601:13): avc: denied
> { read } for pid=380 comm="WifiWatchdogSta" path="socket:[9671]"
> dev=sockfs ino=9671 scontext=u:r:system:s0 tcontext=u:r:system:s0
> tclass=packet_socket
> <5>[ 1562.697631] type=1400 audit(1349427781.617:14): avc: denied
> { getattr } for pid=380 comm="WifiWatchdogSta" path="socket:[9671]"
> dev=sockfs ino=9671 scontext=u:r:system:s0 tcontext=u:r:system:s0
> tclass=packet_socket
> <5>[ 1562.697875] type=1400 audit(1349427781.617:15): avc: denied
> { getopt } for pid=380 comm="WifiWatchdogSta" scontext=u:r:system:s0
> tcontext=u:r:system:s0 tclass=packet_socket
> <5>[ 1569.517761] type=1400 audit(1349427798.658:16): avc: denied
> { getsched } for pid=515 comm="Binder_7" scontext=u:r:system:s0
> tcontext=u:r:untrusted_app:s0:c55 tclass=process
> <5>[ 1569.754669] type=1400 audit(1349427798.892:17): avc: denied
> { read } for pid=1632 comm="IntentService[C" name="xt_qtaguid"
> dev=tmpfs ino=4261 scontext=u:r:untrusted_app:s0:c55
> tcontext=u:object_r:qtaguid_device:s0 tclass=chr_file
> <5>[ 1569.754852] type=1400 audit(1349427798.892:18): avc: denied
> { open } for pid=1632 comm="IntentService[C" name="xt_qtaguid"
> dev=tmpfs ino=4261 scontext=u:r:untrusted_app:s0:c55
> tcontext=u:object_r:qtaguid_device:s0 tclass=chr_file
> <5>[ 1569.755432] type=1400 audit(1349427798.892:19): avc: denied
> { open } for pid=1632 comm="IntentService[C" name="ctrl" dev=proc
> ino=4026533142 scontext=u:r:untrusted_app:s0:c55
> tcontext=u:object_r:qtaguid_proc:s0 tclass=file
>
>
> Any suggestions? If I switch in enforcing mode, the phone can't
> connect to the wifi network.
Until these are fixed in the upstream sepolicy, you can allow these
permissions in your policy as follows:
1) Save the denials to a file, e.g.
adb shell su 0 dmesg > dmesg.txt.
2) Generate allow rules from the denials, e.g.
audit2allow -p out/target/product/maguro/root/sepolicy.24 < dmesg.txt > local.te
3) Copy local.te into your policy and rebuild it.
cp local.te external/sepolicy
make sepolicy
4) Push your policy to your device, reload it and retry.
adb root
adb push out/target/product/maguro/root/sepolicy.24 /data/system
adb shell su 0 setprop selinux.reload_policy 1
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
