On 20/06/2013 17:23, Stephen Smalley wrote: > On 06/20/2013 11:16 AM, Ronan TROTIN wrote: >> Hi, >> >> i'm curently adding seandroid to a board running Android 4.2 following >> the wiki >> i'm stuck with a socket file in /dev which is not properly labeled even >> with the entry in file_contexts >> i don't understand because everything is fine with others entries >> >> # cat file_contexts >> #line 1 "external/sepolicy/file_contexts" >> ########################################### >> # Root >> / u:object_r:rootfs:s0 >> [......lot a your stuff and a bit of mine...... ] >> /dev/i2c-(.*)? u:object_r:i2c_device:s0 >> /dev/cg2900_bt(.*)? u:object_r:cg2900_bt_device:s0 >> /dev/ste_gnss_socket u:object_r:gps_socket:s0 >> >> >> # ls -Z /dev/ste_gnss_socket >> s---rw---- root radio u:object_r:device:s0 ste_gnss_socket >> >> >> # ls -Z /dev/cg2900_bt* >> crw-rw---- bluetooth bluetooth u:object_r:cg2900_bt_device:s0 cg2900_bt_acl >> crw-rw---- bluetooth bluetooth u:object_r:cg2900_bt_device:s0 cg2900_bt_cmd >> crw-rw---- bluetooth bluetooth u:object_r:cg2900_bt_device:s0 cg2900_bt_evt >> >> at first i tried to label it gps_device because it's dev_type and it in /dev >> when it failed i thought it was because it's a socket so i tried with >> gps_socket. No better result. >> >> when i try restorecon it fails if i do not give the absolute path >> else it's ok. Is it normal? >> >> # cd dev >> # restorecon ste_gnss_socket >> Could not lookup context for ste_gnss_socket: No such file or directory >> # restorecon /dev/ste_gnss_socket >> # ls -Z /dev/ste_gnss_socket >> s---rw---- root radio u:object_r:gps_socket:s0 >> ste_gnss_socket >> >> >> any clues anyone? > Typically this happens when the socket is created directly by a daemon > rather than by init. Sockets specified in the init*.rc files are > labeled by init based on file_contexts, but if the socket is created > directly by the daemon, then you need to set up a type transition in > policy to label it. See the type_transition rule in > external/sepolicy/gpsd.te for an example; you specify the domain of the > creating process, the type of the parent directory, the class of file > (in this case, sock_file), and the type you want to be assigned to the file. > > Yes, the toolbox restorecon command doesn't try to determine an absolute > pathname for you, so you have to give it the absolute pathname or run it > recursively on / to properly match against file_contexts. > > > -- > This message was distributed to subscribers of the seandroid-list mailing > list. > If you no longer wish to subscribe, send mail to [email protected] with > the words "unsubscribe seandroid-list" without quotes as the message. Thanks for reactiveness, i'll try it out.
-- Ronan Trotin -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
