On Aug 8, 2013, at 1:35 PM, Stephen Smalley wrote: > On 08/08/2013 01:31 PM, Daniel Mirsky wrote: >> On Aug 8, 2013, at 1:11 PM, Stephen Smalley wrote: >> >>> On 08/08/2013 11:07 AM, Daniel Mirsky wrote: >>>> Hello, >>>> >>>> We are trying to get seandroid 4.0.4 working on some custom hardware based >>>> on the OMAP3EVM. Unfortunately, we do not have the latest Android builds >>>> working on this hardware, so we have to use 4.0.4. >>>> >>>> I have gotten SELinux and SEAndroid running, but am having trouble with >>>> app labeling. I have tried signing with a custom key (and adding the >>>> necessary changes to mac_permissions, keys.conf, seapp_context, and >>>> app.te) as well as signing with the platform key provided in >>>> build/target/product/security. I have verified the signature from the >>>> generated mac_permissions.xml matches the signature of my app (logged with >>>> PackageManager from within the app), but it is still listed as >>>> untrusted_app in ps. >>>> >>>> I also tried editing mac_permissions.xml so the default entry is given an >>>> seinfo label of "default": >>>> <!-- All other keys --> >>>> <default> >>>> <seinfo value="default" /> >>>> </default> >>>> >>>> and then edited seapp_contexts to check for seinfo="default" for >>>> untrusted_app. >>>> user=_app seinfo=default domain=untrusted_app type=app_data_file >>>> levelFrom=app >>>> This resulted in all apps being started in the kernel domain. >>>> >>>> It looks like the seinfo value is not being set. Is there a way to check >>>> the seinfo value from adb? >>>> Is there a step I am missing? Where should I look to solve this issue? >>> >>> The fact that you have apps running in the kernel domain suggests that >>> you have much bigger problems than just seinfo tagging. Like maybe you >>> never loaded a policy at all or if you did, you never transitioned to >>> the init domain via the setcon statement in init.rc. >>> >>> Here's a random guess: you pulled down a recent external/sepolicy with >>> your 4.0.4 checkout, and current external/sepolicy builds policy version >>> 26, but your kernel doesn't support policy version 26 and therefore >>> policy couldn't be loaded. You need at least kernel >= 3.0 to use >>> policy version 26. Otherwise you need to force the policy version back >>> to 24 via POLICYVERS=24 in your environment or in the >>> external/sepolicy/Android.mk file. >>> >>> But please note that seandroid 4.0.4 is not supported by us any longer. >> >> Thank you for the quick reply. >> I did set the POLICYVERS=24 and I can see that SELinux is running. If I >> don't edit the mac_permissions.xml file, all the apps will run in the >> untrusted_app domain and I see AVC denials, so it looks like everything else >> is working. The "About tablet" screen also reports that SELinux is in >> permissive mode and I am able to set enforcing mode, with a lot of apps >> crashing immediately after. > > (don't know if you meant to omit the list from your reply; adding at > least rpcraig back to the cc line) > > You had said that apps were running in the kernel domain in your initial > message. I don't see how that is possible unless the zygote is running > in the kernel domain, which would mean that lots of processes are in the > wrong domains, not just apps. ps -Z shows what? Is your system > partition labeled, i.e. ls -Z /system/bin shows labels other than > unlabeled? And what about init - it should have switched to the init > domain via setcon in the init.rc, so nothing except kernel threads > should be running in the kernel domain. > I did omit the list by accident, sorry about that.
My system partition is unlabeled, just noticed that. root@android:/data # ls -Z /system/bin/ -rwxr-xr-x root root u:object_r:unlabeled:s0 BlobCache_test -rwxr-xr-x root root u:object_r:unlabeled:s0 InputChannel_test -rwxr-xr-x root root u:object_r:unlabeled:s0 InputDispatcher_test -rwxr-xr-x root root u:object_r:unlabeled:s0 InputEvent_test -rwxr-xr-x root root u:object_r:unlabeled:s0 InputPublisherAndConsumer_test -rwxr-xr-x root root u:object_r:unlabeled:s0 InputReader_test -rwxr-xr-x root root u:object_r:unlabeled:s0 Looper_test -rwxr-xr-x root root u:object_r:unlabeled:s0 ObbFile_test -rwxr-xr-x root root u:object_r:unlabeled:s0 String8_test -rwxr-xr-x root root u:object_r:unlabeled:s0 Unicode_test -rwxr-xr-x root root u:object_r:unlabeled:s0 ZipFileRO_test -rwxr-xr-x root root u:object_r:unlabeled:s0 adb -rwxr-xr-x root root u:object_r:unlabeled:s0 am ... Output of ps with the mentioned modifications to mac_permissions and seapp_contexts: root@android:/proc/sys/kernel # ps -Z LABEL USER PID PPID NAME u:r:kernel:s0 root 1 0 init u:r:kernel:s0 root 2 0 kthreadd u:r:kernel:s0 root 3 2 ksoftirqd/0 u:r:kernel:s0 root 5 2 kworker/u:0 u:r:kernel:s0 root 6 2 khelper u:r:kernel:s0 root 7 2 kworker/u:1 u:r:kernel:s0 root 12 2 suspend u:r:kernel:s0 root 50 2 irq/72-serial i u:r:kernel:s0 root 52 2 irq/73-serial i u:r:kernel:s0 root 54 2 irq/74-serial i u:r:kernel:s0 root 56 2 irq/80-serial i u:r:kernel:s0 root 267 2 sync_supers u:r:kernel:s0 root 269 2 bdi-default u:r:kernel:s0 root 271 2 kblockd u:r:kernel:s0 root 284 2 omap2_mcspi u:r:kernel:s0 root 298 2 khubd u:r:kernel:s0 root 303 2 kseriod u:r:kernel:s0 root 311 2 twl4030-irqchip u:r:kernel:s0 root 312 2 twl4030-irq u:r:kernel:s0 root 325 2 irq/378-twl4030 u:r:kernel:s0 root 342 2 irq/188-3-0022 u:r:kernel:s0 root 345 2 irq/187-3-0023 u:r:kernel:s0 root 354 2 kmmcd u:r:kernel:s0 root 444 2 musb-hdrc.0 u:r:kernel:s0 root 446 2 rpciod u:r:kernel:s0 root 447 2 kworker/0:1 u:r:kernel:s0 root 457 2 kswapd0 u:r:kernel:s0 root 459 2 fsnotify_mark u:r:kernel:s0 root 460 2 aio u:r:kernel:s0 root 461 2 nfsiod u:r:kernel:s0 root 462 2 crypto u:r:kernel:s0 root 478 2 dsi u:r:kernel:s0 root 611 2 irq/369-twl4030 u:r:kernel:s0 root 613 2 kpsmoused u:r:kernel:s0 root 619 2 irq/318-atmel_m u:r:kernel:s0 root 625 2 irq/376-twl4030 u:r:kernel:s0 root 667 2 kstriped u:r:kernel:s0 root 669 2 kondemand u:r:kernel:s0 root 679 2 usbhid_resumer u:r:kernel:s0 root 682 2 binder u:r:kernel:s0 root 721 2 mmcqd/0 u:r:kernel:s0 root 823 2 loop0 u:r:kernel:s0 root 876 1 /bin/sh u:r:kernel:s0 root 1534 876 sh u:r:kernel:s0 root 1535 1534 sh u:r:kernel:s0 root 1560 2 loop1 u:r:kernel:s0 root 1604 1535 sh u:r:kernel:s0 root 1607 1604 cat u:r:kernel:s0 root 1659 1535 /init u:r:kernel:s0 root 1660 1659 /sbin/ueventd u:r:kernel:s0 root 1997 2 cfg80211 u:r:kernel:s0 system 2003 1659 /system/bin/servicemanager u:r:kernel:s0 root 2004 1659 /system/bin/vold u:r:kernel:s0 root 2006 1659 /system/bin/netd u:r:kernel:s0 root 2007 1659 /system/bin/debuggerd u:r:kernel:s0 root 2008 1659 /system/bin/rild u:r:kernel:s0 system 2009 1659 /system/bin/surfaceflinger u:r:kernel:s0 root 2010 1659 zygote u:r:kernel:s0 drm 2011 1659 /system/bin/drmserver u:r:kernel:s0 media 2012 1659 /system/bin/mediaserver u:r:kernel:s0 bluetooth 2013 1659 /system/bin/dbus-daemon u:r:kernel:s0 root 2017 1659 /system/bin/installd u:r:kernel:s0 keystore 2018 1659 /system/bin/keystore u:r:kernel:s0 root 2019 1659 /system/bin/sh u:r:kernel:s0 root 2020 1659 /sbin/adbd u:r:kernel:s0 root 2030 2 pvr_timer u:r:kernel:s0 root 2091 2 pvr_workqueue u:r:kernel:s0 root 2120 2 omaplfb u:r:system:s0 system 2233 2010 system_server u:r:system_app:s0 system 2589 2010 com.android.systemui u:r:kernel:s0 app_30 2610 2010 com.android.inputmethod.latin u:r:radio:s0 radio 2626 2010 com.android.phone u:r:system_app:s0 system 2637 2010 com.android.settings u:r:kernel:s0 app_24 2738 2010 com.android.smspush u:r:kernel:s0 app_1 2749 2010 android.process.acore u:r:kernel:s0 app_25 2794 2010 com.android.provision u:r:kernel:s0 app_20 2872 2010 com.android.launcher u:r:system_app:s0 system 3042 2010 com.android.seandroid_manager u:r:kernel:s0 app_10 3153 2010 com.android.email u:r:kernel:s0 app_28 3201 2010 com.android.exchange u:r:kernel:s0 app_4 3238 2010 android.process.media u:r:kernel:s0 app_32 3324 2010 com.android.providers.calendar u:r:kernel:s0 app_19 3406 2010 com.android.deskclock u:r:kernel:s0 app_8 3420 2010 com.android.calendar u:r:kernel:s0 app_5 3459 2010 com.android.gallery3d u:r:kernel:s0 app_37 3473 2010 com.android.quicksearchbox u:r:kernel:s0 root 7660 2 flush-179:0 u:r:kernel:s0 root 10861 2 kworker/0:4 u:r:kernel:s0 root 12670 2 kworker/0:2 u:r:kernel:s0 root 13345 2 kworker/u:2 u:r:kernel:s0 root 14319 2 kworker/0:0 u:r:kernel:s0 root 14464 2 kworker/0:3 u:r:kernel:s0 root 14812 2019 ps root@android:/proc/sys/kernel # Output of ps with original policy, only policy version changed: root@android:/ # ps -Z LABEL USER PID PPID NAME u:r:kernel:s0 root 1 0 init u:r:kernel:s0 root 2 0 kthreadd u:r:kernel:s0 root 3 2 ksoftirqd/0 u:r:kernel:s0 root 4 2 kworker/0:0 u:r:kernel:s0 root 5 2 kworker/u:0 u:r:kernel:s0 root 6 2 khelper u:r:kernel:s0 root 7 2 kworker/u:1 u:r:kernel:s0 root 12 2 suspend u:r:kernel:s0 root 50 2 irq/72-serial i u:r:kernel:s0 root 52 2 irq/73-serial i u:r:kernel:s0 root 54 2 irq/74-serial i u:r:kernel:s0 root 56 2 irq/80-serial i u:r:kernel:s0 root 267 2 sync_supers u:r:kernel:s0 root 269 2 bdi-default u:r:kernel:s0 root 271 2 kblockd u:r:kernel:s0 root 284 2 omap2_mcspi u:r:kernel:s0 root 298 2 khubd u:r:kernel:s0 root 303 2 kseriod u:r:kernel:s0 root 311 2 twl4030-irqchip u:r:kernel:s0 root 312 2 twl4030-irq u:r:kernel:s0 root 325 2 irq/378-twl4030 u:r:kernel:s0 root 342 2 irq/188-3-0022 u:r:kernel:s0 root 345 2 irq/187-3-0023 u:r:kernel:s0 root 354 2 kmmcd u:r:kernel:s0 root 444 2 musb-hdrc.0 u:r:kernel:s0 root 446 2 rpciod u:r:kernel:s0 root 447 2 kworker/0:1 u:r:kernel:s0 root 457 2 kswapd0 u:r:kernel:s0 root 459 2 fsnotify_mark u:r:kernel:s0 root 460 2 aio u:r:kernel:s0 root 461 2 nfsiod u:r:kernel:s0 root 462 2 crypto u:r:kernel:s0 root 478 2 dsi u:r:kernel:s0 root 549 2 kworker/0:2 u:r:kernel:s0 root 584 2 kworker/0:3 u:r:kernel:s0 root 611 2 irq/369-twl4030 u:r:kernel:s0 root 613 2 kpsmoused u:r:kernel:s0 root 619 2 irq/318-atmel_m u:r:kernel:s0 root 625 2 irq/376-twl4030 u:r:kernel:s0 root 626 2 kworker/u:2 u:r:kernel:s0 root 667 2 kstriped u:r:kernel:s0 root 669 2 kondemand u:r:kernel:s0 root 679 2 usbhid_resumer u:r:kernel:s0 root 682 2 binder u:r:kernel:s0 root 721 2 mmcqd/0 u:r:kernel:s0 root 819 2 flush-179:0 u:r:kernel:s0 root 823 2 loop0 u:r:kernel:s0 root 876 1 /bin/sh u:r:kernel:s0 root 890 2 kworker/0:4 u:r:kernel:s0 root 1535 876 sh u:r:kernel:s0 root 1539 1535 sh u:r:kernel:s0 root 1560 2 loop1 u:r:kernel:s0 root 1604 1539 sh u:r:kernel:s0 root 1607 1604 cat u:r:kernel:s0 root 1659 1539 /init u:r:kernel:s0 root 1660 1659 /sbin/ueventd u:r:kernel:s0 root 1997 2 cfg80211 u:r:kernel:s0 system 2003 1659 /system/bin/servicemanager u:r:kernel:s0 root 2004 1659 /system/bin/vold u:r:kernel:s0 root 2006 1659 /system/bin/netd u:r:kernel:s0 root 2007 1659 /system/bin/debuggerd u:r:kernel:s0 root 2008 1659 /system/bin/rild u:r:kernel:s0 system 2009 1659 /system/bin/surfaceflinger u:r:kernel:s0 root 2010 1659 zygote u:r:kernel:s0 drm 2011 1659 /system/bin/drmserver u:r:kernel:s0 media 2015 1659 /system/bin/mediaserver u:r:kernel:s0 bluetooth 2016 1659 /system/bin/dbus-daemon u:r:kernel:s0 root 2017 1659 /system/bin/installd u:r:kernel:s0 keystore 2018 1659 /system/bin/keystore u:r:kernel:s0 root 2019 1659 /system/bin/sh u:r:kernel:s0 root 2020 1659 /sbin/adbd u:r:kernel:s0 root 2030 2 pvr_timer u:r:kernel:s0 root 2091 2 pvr_workqueue u:r:kernel:s0 root 2112 2 omaplfb u:r:kernel:s0 root 2202 2 kworker/u:3 u:r:system:s0 system 2223 2010 system_server u:r:system_app:s0 system 2577 2010 com.android.systemui u:r:system_app:s0 system 2627 2010 com.android.settings u:r:untrusted_app:s0:c1,c256 app_1 2732 2010 android.process.acore u:r:untrusted_app:s0:c25,c256 app_25 2747 2010 com.android.provision u:r:untrusted_app:s0:c24,c256 app_24 2830 2010 com.android.smspush u:r:untrusted_app:s0:c20,c256 app_20 2910 2010 com.android.launcher u:r:untrusted_app:s0:c1,c256 app_1 2965 2010 com.android.contacts u:r:untrusted_app:s0:c30,c256 app_30 3021 2010 com.android.inputmethod.latin u:r:system_app:s0 system 3043 2010 com.android.seandroid_manager u:r:radio:s0 radio 3067 2010 com.android.phone u:r:untrusted_app:s0:c10,c256 app_10 3177 2010 com.android.email u:r:untrusted_app:s0:c28,c256 app_28 3261 2010 com.android.exchange u:r:untrusted_app:s0:c27,c256 app_27 3343 2010 com.example.learning1 u:r:untrusted_app:s0:c4,c256 app_4 3412 2010 android.process.media u:r:untrusted_app:s0:c32,c256 app_32 3442 2010 com.android.providers.calendar u:r:untrusted_app:s0:c5,c256 app_5 3491 2010 com.android.gallery3d u:r:kernel:s0 root 3522 2019 ps It looks like a lot of the file system is unlabeled, so I will look for the problem there. //Dan -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
