BTW: The media_app denial surprises me for two reasons: 1) What is the media_app doing in /cache and what is it trying to do with lost+found ?
2) Why is /cache/lost+found not labelled ? ________________________________________ From: [email protected] [[email protected]] on behalf of Radzykewycz, T (Radzy) [[email protected]] Sent: Friday, October 05, 2012 7:31 AM To: Alexandra Test; Stephen Smalley Cc: [email protected] Subject: RE: how to solve denials in jb 4.1.1 galaxy nexus #============= dhcp ============== allow dhcp dhcp_data_file:dir remove_name; allow dhcp dhcp_data_file:file { write getattr read lock create unlink open }; allow dhcp system_file:file execute_no_trans; #============= media_app ============== allow media_app unlabeled:dir getattr; #============= system ============== allow system self:packet_socket { write getattr getopt read bind create }; ________________________________________ From: [email protected] [[email protected]] on behalf of Alexandra Test [[email protected]] Sent: Friday, October 05, 2012 7:08 AM To: Stephen Smalley Cc: [email protected] Subject: Re: how to solve denials in jb 4.1.1 galaxy nexus On Fri, Oct 5, 2012 at 3:56 PM, Stephen Smalley <[email protected]<mailto:[email protected]>> wrote: On Fri, 2012-10-05 at 15:50 +0200, Alexandra Test wrote: > My audit2allow does not recognize the -p option, can I launch the > command without the reference to the policyfile? Try it and see. It won't be able to resolve the security contexts or support the -w / --why option in that case, but it may be able to generate the allow rules nonetheless. -- Stephen Smalley National Security Agency It does not work! these the denials: <5>[ 17.105438] type=1400 audit(1349445244.250:3): avc: denied { getattr } for pid=603 comm="Thread-32" path="/cache/lost+found" dev=mmcblk0p11 ino=11 scontext=u:r:media_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <5>[ 17.273162] type=1400 audit(1349445244.421:4): avc: denied { write } for pid=625 comm="dhcpcd" name="dhcpcd-wlan0.pid" dev=mmcblk0p12 ino=138475 scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file <5>[ 17.273406] type=1400 audit(1349445244.421:5): avc: denied { open } for pid=625 comm="dhcpcd" name="dhcpcd-wlan0.pid" dev=mmcblk0p12 ino=138475 scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file <5>[ 17.273559] type=1400 audit(1349445244.421:6): avc: denied { lock } for pid=625 comm="dhcpcd" path="/data/misc/dhcp/dhcpcd-wlan0.pid" dev=mmcblk0p12 ino=138475 scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file <5>[ 17.297729] type=1400 audit(1349445244.445:7): avc: denied { execute_no_trans } for pid=628 comm="dhcpcd-run-hook" path="/system/bin/toolbox" dev=mmcblk0p10 ino=216 scontext=u:r:dhcp:s0 tcontext=u:object_r:system_file:s0 tclass=file <5>[ 17.378326] type=1400 audit(1349445244.523:8): avc: denied { read } for pid=625 comm="dhcpcd" name="dhcpcd-wlan0.lease" dev=mmcblk0p12 ino=138476 scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file <5>[ 17.382781] type=1400 audit(1349445244.531:9): avc: denied { getattr } for pid=625 comm="dhcpcd" path="/data/misc/dhcp/dhcpcd-wlan0.lease" dev=mmcblk0p12 ino=138476 scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file <5>[ 17.509429] type=1400 audit(1349445244.656:10): avc: denied { remove_name } for pid=625 comm="dhcpcd" name="dhcpcd-wlan0.lease" dev=mmcblk0p12 ino=138476 scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=dir <5>[ 17.509674] type=1400 audit(1349445244.656:11): avc: denied { unlink } for pid=625 comm="dhcpcd" name="dhcpcd-wlan0.lease" dev=mmcblk0p12 ino=138476 scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file <5>[ 17.510528] type=1400 audit(1349445244.656:12): avc: denied { create } for pid=625 comm="dhcpcd" name="dhcpcd-wlan0.lease" scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file <5>[ 17.865844] type=1400 audit(1349445245.007:13): avc: denied { create } for pid=374 comm="WifiWatchdogSta" scontext=u:r:system:s0 tcontext=u:r:system:s0 tclass=packet_socket <5>[ 17.866027] type=1400 audit(1349445245.007:14): avc: denied { bind } for pid=374 comm="WifiWatchdogSta" scontext=u:r:system:s0 tcontext=u:r:system:s0 tclass=packet_socket <5>[ 17.929321] type=1400 audit(1349445245.078:15): avc: denied { write } for pid=374 comm="WifiWatchdogSta" scontext=u:r:system:s0 tcontext=u:r:system:s0 tclass=packet_socket <5>[ 17.939605] type=1400 audit(1349445245.085:16): avc: denied { read } for pid=374 comm="WifiWatchdogSta" path="socket:[5193]" dev=sockfs ino=5193 scontext=u:r:system:s0 tcontext=u:r:system:s0 tclass=packet_socket <5>[ 17.958923] type=1400 audit(1349445245.101:17): avc: denied { getattr } for pid=374 comm="WifiWatchdogSta" path="socket:[5193]" dev=sockfs ino=5193 scontext=u:r:system:s0 tcontext=u:r:system:s0 tclass=packet_socket <5>[ 17.959197] type=1400 audit(1349445245.101:18): avc: denied { getopt } for pid=374 comm="WifiWatchdogSta" scontext=u:r:system:s0 tcontext=u:r:system:s0 tclass=packet_socket -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
