Hello SEAndroid community,
I am completly new to seandroid, so please be patient :)
I try to build a secure android system for my nitrogen6x board by
boundarydevices. They provide a Android 4.3 repository with some
modifications adjusted to the nitrogen board. I made some kernel
configuration changes to enable selinux and built the whole system with
success. In permissive mode the system works without any errors. But when
setting seandroid into enforcing mode the whole system is going to crash.
Neither I could launch any application nor perform any gesture actions. Do
I need to modify some policies? I guess seandroid prohibit systemui and
launcher the access /dev/graphics/galcore (see avc output). But
unfortunately I have no clue about policy files. please help me. Thank you
very much, I appreciate your help!
------------------------------
<5>type=1400 audit(86570.180:55): avc: denied { search } for pid=3331
comm="ndroid.launcher" name="graphics" dev=tmpfs ino=4103
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=dir
<5>type=1400 audit(86573.600:56): avc: denied { sigkill } for pid=3349
comm="NativeCrashRepo" scontext=u:r:system_server:s0
tcontext=u:r:zygote:s0 tclass=process
<5>type=1400 audit(86574.020:57): avc: denied { search } for pid=3366
comm="ndroid.launcher" name="graphics" dev=tmpfs ino=4103
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=dir
<5>type=1400 audit(86579.660:58): avc: denied { sigkill } for pid=3385
comm="NativeCrashRepo" scontext=u:r:system_server:s0
tcontext=u:r:zygote:s0 tclass=process
<5>type=1400 audit(86580.010:59): avc: denied { ioctl } for pid=2585
comm="ndroid.systemui" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:platform_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86580.040:60): avc: denied { ioctl } for pid=2585
comm="ndroid.systemui" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:platform_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86580.060:61): avc: denied { ioctl } for pid=2585
comm="ndroid.systemui" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:platform_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86580.080:62): avc: denied { ioctl } for pid=2585
comm="ndroid.systemui" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:platform_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86580.120:63): avc: denied { search } for pid=3398
comm="ndroid.launcher" name="graphics" dev=tmpfs ino=4103
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=dir
<5>type=1400 audit(86588.510:65): avc: denied { read write } for
pid=3434 comm="ndroid.launcher" name="galcore" dev=tmpfs ino=4741
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86588.530:66): avc: denied { open } for pid=3434
comm="ndroid.launcher" name="galcore" dev=tmpfs ino=4741
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86588.550:67): avc: denied { ioctl } for pid=3434
comm="ndroid.launcher" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86604.930:68): avc: denied { read write } for
pid=3543 comm="ndroid.systemui" name="galcore" dev=tmpfs ino=4741
scontext=u:r:platform_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86604.950:69): avc: denied { open } for pid=3543
comm="ndroid.systemui" name="galcore" dev=tmpfs ino=4741
scontext=u:r:platform_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86604.970:70): avc: denied { ioctl } for pid=3543
comm="ndroid.systemui" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:platform_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86778.830:72): avc: denied { ioctl } for pid=3434
comm="ndroid.launcher" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86778.850:73): avc: denied { ioctl } for pid=3434
comm="ndroid.launcher" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86778.900:74): avc: denied { ioctl } for pid=3434
comm="ndroid.launcher" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86778.920:75): avc: denied { ioctl } for pid=3434
comm="ndroid.launcher" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86778.980:76): avc: denied { ioctl } for pid=3434
comm="ndroid.launcher" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86779.000:77): avc: denied { ioctl } for pid=3434
comm="ndroid.launcher" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86779.020:78): avc: denied { ioctl } for pid=3434
comm="ndroid.launcher" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86779.040:79): avc: denied { ioctl } for pid=3434
comm="ndroid.launcher" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86779.070:80): avc: denied { ioctl } for pid=3434
comm="ndroid.launcher" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:shared_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86805.300:96): avc: denied { ioctl } for pid=3543
comm="ndroid.systemui" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:platform_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86805.330:97): avc: denied { ioctl } for pid=3543
comm="ndroid.systemui" path="/dev/graphics/galcore" dev=tmpfs ino=4741
scontext=u:r:platform_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=chr_file
<5>type=1400 audit(86806.890:98): avc: denied { search } for pid=3630
comm="ndroid.systemui" name="graphics" dev=tmpfs ino=4103
scontext=u:r:platform_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=dir
<5>type=1400 audit(86809.690:99): avc: denied { search } for pid=3647
comm="ndroid.systemui" name="graphics" dev=tmpfs ino=4103
scontext=u:r:platform_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=dir
<5>type=1400 audit(86812.780:100): avc: denied { search } for pid=3665
comm="ndroid.systemui" name="graphics" dev=tmpfs ino=4103
scontext=u:r:platform_app:s0 tcontext=u:object_r:graphics_device:s0
tclass=dir
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
