#============= dhcp ==============
allow dhcp dhcp_data_file:dir remove_name;
allow dhcp dhcp_data_file:file { write getattr read lock create unlink open };
allow dhcp system_file:file execute_no_trans;
#============= media_app ==============
allow media_app unlabeled:dir getattr;
#============= system ==============
allow system self:packet_socket { write getattr getopt read bind create };
________________________________________
From: [email protected] [[email protected]]
on behalf of Alexandra Test [[email protected]]
Sent: Friday, October 05, 2012 7:08 AM
To: Stephen Smalley
Cc: [email protected]
Subject: Re: how to solve denials in jb 4.1.1 galaxy nexus
On Fri, Oct 5, 2012 at 3:56 PM, Stephen Smalley
<[email protected]<mailto:[email protected]>> wrote:
On Fri, 2012-10-05 at 15:50 +0200, Alexandra Test wrote:
> My audit2allow does not recognize the -p option, can I launch the
> command without the reference to the policyfile?
Try it and see. It won't be able to resolve the security contexts or
support the -w / --why option in that case, but it may be able to
generate the allow rules nonetheless.
--
Stephen Smalley
National Security Agency
It does not work! these the denials:
<5>[ 17.105438] type=1400 audit(1349445244.250:3): avc: denied { getattr }
for pid=603 comm="Thread-32" path="/cache/lost+found" dev=mmcblk0p11 ino=11
scontext=u:r:media_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<5>[ 17.273162] type=1400 audit(1349445244.421:4): avc: denied { write }
for pid=625 comm="dhcpcd" name="dhcpcd-wlan0.pid" dev=mmcblk0p12 ino=138475
scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file
<5>[ 17.273406] type=1400 audit(1349445244.421:5): avc: denied { open } for
pid=625 comm="dhcpcd" name="dhcpcd-wlan0.pid" dev=mmcblk0p12 ino=138475
scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file
<5>[ 17.273559] type=1400 audit(1349445244.421:6): avc: denied { lock } for
pid=625 comm="dhcpcd" path="/data/misc/dhcp/dhcpcd-wlan0.pid" dev=mmcblk0p12
ino=138475 scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0
tclass=file
<5>[ 17.297729] type=1400 audit(1349445244.445:7): avc: denied {
execute_no_trans } for pid=628 comm="dhcpcd-run-hook"
path="/system/bin/toolbox" dev=mmcblk0p10 ino=216 scontext=u:r:dhcp:s0
tcontext=u:object_r:system_file:s0 tclass=file
<5>[ 17.378326] type=1400 audit(1349445244.523:8): avc: denied { read } for
pid=625 comm="dhcpcd" name="dhcpcd-wlan0.lease" dev=mmcblk0p12 ino=138476
scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file
<5>[ 17.382781] type=1400 audit(1349445244.531:9): avc: denied { getattr }
for pid=625 comm="dhcpcd" path="/data/misc/dhcp/dhcpcd-wlan0.lease"
dev=mmcblk0p12 ino=138476 scontext=u:r:dhcp:s0
tcontext=u:object_r:dhcp_data_file:s0 tclass=file
<5>[ 17.509429] type=1400 audit(1349445244.656:10): avc: denied {
remove_name } for pid=625 comm="dhcpcd" name="dhcpcd-wlan0.lease"
dev=mmcblk0p12 ino=138476 scontext=u:r:dhcp:s0
tcontext=u:object_r:dhcp_data_file:s0 tclass=dir
<5>[ 17.509674] type=1400 audit(1349445244.656:11): avc: denied { unlink }
for pid=625 comm="dhcpcd" name="dhcpcd-wlan0.lease" dev=mmcblk0p12 ino=138476
scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file
<5>[ 17.510528] type=1400 audit(1349445244.656:12): avc: denied { create }
for pid=625 comm="dhcpcd" name="dhcpcd-wlan0.lease" scontext=u:r:dhcp:s0
tcontext=u:object_r:dhcp_data_file:s0 tclass=file
<5>[ 17.865844] type=1400 audit(1349445245.007:13): avc: denied { create }
for pid=374 comm="WifiWatchdogSta" scontext=u:r:system:s0
tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 17.866027] type=1400 audit(1349445245.007:14): avc: denied { bind }
for pid=374 comm="WifiWatchdogSta" scontext=u:r:system:s0
tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 17.929321] type=1400 audit(1349445245.078:15): avc: denied { write }
for pid=374 comm="WifiWatchdogSta" scontext=u:r:system:s0
tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 17.939605] type=1400 audit(1349445245.085:16): avc: denied { read }
for pid=374 comm="WifiWatchdogSta" path="socket:[5193]" dev=sockfs ino=5193
scontext=u:r:system:s0 tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 17.958923] type=1400 audit(1349445245.101:17): avc: denied { getattr }
for pid=374 comm="WifiWatchdogSta" path="socket:[5193]" dev=sockfs ino=5193
scontext=u:r:system:s0 tcontext=u:r:system:s0 tclass=packet_socket
<5>[ 17.959197] type=1400 audit(1349445245.101:18): avc: denied { getopt }
for pid=374 comm="WifiWatchdogSta" scontext=u:r:system:s0
tcontext=u:r:system:s0 tclass=packet_socket
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
