On 08/05/2013 08:20 AM, Stephen Smalley wrote:
> On 08/02/2013 10:24 PM, Peck, Michael A wrote:
>> I'm running into a related issue on a Galaxy Nexus (maguro) running master +
>> seandroid.
>> The denials I'm seeing are coming from sdcardd, not the app.
>> /mnt/sdcard or equivalent that the app is trying to access and its contents
>> are properly labeled as u:object_r:sdcard_internal:s0, but /data/media/0
>> (which sdcardd is trying to access) and its contents are
>> u:object_r:unlabeled:s0.
>> /data/media shouldn't be directly accessible from apps but needs to be
>> accessible by sdcardd.
>> Does installd.c need to be updated to set a security context when
>> /data/media/0 is created?
>>
>> type=1400 msg=audit(1375476226.381:87): avc: denied { create } for
>> pid=133 comm="sdcard" name="facebook_ringtone_pop.m4a"
>> scontext=u:r:sdcardd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>> type=1400 msg=audit(1375476226.389:88): avc: denied { getattr } for
>> pid=133 comm="sdcard"
>> path="/data/media/0/media/audio/notifications/facebook_ringtone_pop.m4a"
>> dev=mmcblk0p12 ino=447948 scontext=u:r:sdcardd:s0
>> tcontext=u:object_r:unlabeled:s0 tclass=file
>> type=1400 msg=audit(1375476226.389:89): avc: denied { write } for pid=141
>> comm="sdcard" name="facebook_ringtone_pop.m4a" dev=mmcblk0p12 ino=447948
>> scontext=u:r:sdcardd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>> type=1400 msg=audit(1375476226.389:90): avc: denied { open } for pid=141
>> comm="sdcard" name="facebook_ringtone_pop.m4a" dev=mmcblk0p12 ino=447948
>> scontext=u:r:sdcardd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>>
>> shell@maguro:/data/media # ls -Z
>> drwxrwx--- media_rw media_rw u:object_r:unlabeled:s0 0
>> drwxrwxr-x media_rw media_rw u:object_r:system_data_file:s0 legacy
>> drwxrwx--- media_rw media_rw u:object_r:system_data_file:s0 obb
>>
>> shell@maguro:/data/media/0 # ls -Z
>> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Alarms
>> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Android
>> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 DCIM
>> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Download
>> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Movies
>> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Music
>> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Notifications
>> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Pictures
>> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Podcasts
>> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Ringtones
>> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 media
>
> I'm not seeing that here. Assuming you did reflash userdata correctly,
> did you in fact update your local_manifest.xml file so that it includes
> our modifications to frameworks/native as well? installd was moved from
> frameworks/base to frameworks/native and our changes to support labeling
> of multi-user data directories were "lost" in the 4.3 merge so we had to
> revive them there.
Sorry, never mind. I was thinking of /data/user labeling, not /data/media.
I will note that on maguro, there can be problem with fastboot -w
flashall not completing on the userdata partition; you may have to
manually flash userdata separately. I think the problem goes away if
you reflash maguro with an updated bootloader from the factory images.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
