1. Did you push the new policy files to data/system or ref lash boot.img?
Check your
out/target/product/<mfr>/<prod>/obj/ETC/sepolicy_intermediates/policy.conf
and make sure the build process placed the new rules in that file. That
file is the concatenation of all your policy files before it is run through
check_policy for compilation to the resulting binary version of the policy
which is the sepolicy file.
On Oct 11, 2012 3:35 AM, "Alexandra Test" <[email protected]>
wrote:
> I tried many times to add the policies that Radzy also suggested to the
> policy files (either app.te or dhcp.te) but nothing changes. I continue to
> have the same denials and the same suggestions from audit2allow.
>
> <5>[ 15.910278] type=1400 audit(1349951414.156:3): avc: denied {
> getattr } for pid=463 comm="Thread-23" path="/cache/lost+found"
> dev=mmcblk0p11 ino=11 scontext=u:r:media_app:s0
> tcontext=u:object_r:unlabeled:s0 tclass=dir
> <5>[ 17.115966] type=1400 audit(1349951415.359:4): avc: denied { write
> } for pid=633 comm="dhcpcd" name="dhcpcd-wlan0.pid" dev=mmcblk0p12
> ino=138475 scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0
> tclass=file
> <5>[ 17.116241] type=1400 audit(1349951415.367:5): avc: denied { open
> } for pid=633 comm="dhcpcd" name="dhcpcd-wlan0.pid" dev=mmcblk0p12
> ino=138475 scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0
> tclass=file
> <5>[ 17.116424] type=1400 audit(1349951415.367:6): avc: denied { lock
> } for pid=633 comm="dhcpcd" path="/data/misc/dhcp/dhcpcd-wlan0.pid"
> dev=mmcblk0p12 ino=138475 scontext=u:r:dhcp:s0
> tcontext=u:object_r:dhcp_data_file:s0 tclass=file
> <5>[ 17.134094] type=1400 audit(1349951415.382:7): avc: denied {
> execute_no_trans } for pid=635 comm="dhcpcd-run-hook"
> path="/system/bin/toolbox" dev=mmcblk0p10 ino=216 scontext=u:r:dhcp:s0
> tcontext=u:object_r:system_file:s0 tclass=file
> <5>[ 17.177642] type=1400 audit(1349951415.421:8): avc: denied { read
> } for pid=633 comm="dhcpcd" name="dhcpcd-wlan0.lease" dev=mmcblk0p12
> ino=138474 scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0
> tclass=file
> <5>[ 17.178924] type=1400 audit(1349951415.429:9): avc: denied {
> getattr } for pid=633 comm="dhcpcd"
> path="/data/misc/dhcp/dhcpcd-wlan0.lease" dev=mmcblk0p12 ino=138474
> scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file
> <5>[ 17.267181] type=1400 audit(1349951415.515:10): avc: denied {
> remove_name } for pid=633 comm="dhcpcd" name="dhcpcd-wlan0.lease"
> dev=mmcblk0p12 ino=138474 scontext=u:r:dhcp:s0
> tcontext=u:object_r:dhcp_data_file:s0 tclass=dir
> <5>[ 17.267395] type=1400 audit(1349951415.515:11): avc: denied {
> unlink } for pid=633 comm="dhcpcd" name="dhcpcd-wlan0.lease"
> dev=mmcblk0p12 ino=138474 scontext=u:r:dhcp:s0
> tcontext=u:object_r:dhcp_data_file:s0 tclass=file
> <5>[ 17.267944] type=1400 audit(1349951415.515:12): avc: denied {
> create } for pid=633 comm="dhcpcd" name="dhcpcd-wlan0.lease"
> scontext=u:r:dhcp:s0 tcontext=u:object_r:dhcp_data_file:s0 tclass=file
> <5>[ 17.516113] type=1400 audit(1349951415.765:13): avc: denied {
> create } for pid=374 comm="WifiWatchdogSta" scontext=u:r:system:s0
> tcontext=u:r:system:s0 tclass=packet_socket
> <5>[ 17.516326] type=1400 audit(1349951415.765:14): avc: denied { bind
> } for pid=374 comm="WifiWatchdogSta" scontext=u:r:system:s0
> tcontext=u:r:system:s0 tclass=packet_socket
> <5>[ 17.561767] type=1400 audit(1349951415.812:15): avc: denied {
> write } for pid=374 comm="WifiWatchdogSta" scontext=u:r:system:s0
> tcontext=u:r:system:s0 tclass=packet_socket
> <5>[ 17.564178] type=1400 audit(1349951415.812:16): avc: denied { read
> } for pid=374 comm="WifiWatchdogSta" path="socket:[2865]" dev=sockfs
> ino=2865 scontext=u:r:system:s0 tcontext=u:r:system:s0 tclass=packet_socket
> <5>[ 17.585296] type=1400 audit(1349951415.835:17): avc: denied {
> getattr } for pid=374 comm="WifiWatchdogSta" path="socket:[2865]"
> dev=sockfs ino=2865 scontext=u:r:system:s0 tcontext=u:r:system:s0
> tclass=packet_socket
> <5>[ 17.585571] type=1400 audit(1349951415.835:18): avc: denied {
> getopt } for pid=374 comm="WifiWatchdogSta" scontext=u:r:system:s0
> tcontext=u:r:system:s0 tclass=packet_socket
>
>
> On Tue, Oct 9, 2012 at 4:05 PM, Stephen Smalley <[email protected]> wrote:
>
>> On Mon, 2012-10-08 at 15:15 +0200, Alexandra Test wrote:
>> > I can't resolve the denials.
>> > Is there any guide with the explanation of all the sepolicy files?
>> > I read the seandroid webpage and tried to find some explanation in the
>> > mailing list but without success.
>>
>> Radzy sent you the required allow rules based on your denials. You just
>> need to add them to your policy and rebuild.
>>
>> They are just SELinux policy files, so look at the various resources
>> available for understanding and writing SELinux policy. There will be
>> some differences since the layout and conventions are not the same as
>> for the SELinux reference policy used in conventional Linux
>> distributions, but the SE Android policy is much smaller and simpler so
>> it shouldn't take long to become familiar with it.
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
>
