You are missing the following kernel patch: https://android-review.googlesource.com/58360 (or whatever version is appropriate for your kernel version).
More generally, you should make an effort to stay up to date on patches in the Android kernel tree. More and more changes are going to require running a tip-of-tree kernel from Android's common kernel tree. On Mon, May 11, 2015 at 9:23 PM, Jaejyn Shin <[email protected]> wrote: > Dear SEAndroid developer > > I downloaded the recent aosp source and download boot.img and system.img > into my device. > > But the init domain is not translated to init domain, it is still in the > kernel domain. > > I found some error logs in the kernel log. > > > ----------------------------------------------------------------------------------------------------------- > [ 3.937742 / 01-01 00:48:26.729][5] init: (Initializing SELinux > non-enforcing took 0.15s.) > [ 3.940387 / 01-01 00:48:26.729][5] init: SELinux: Could not set > context for /init: Operation not supported on transport endpoint > [ 3.940404 / 01-01 00:48:26.729][5] init: restorecon failed: Operation > not supported on transport endpoint > [ 3.940473 / 01-01 00:48:26.729][5] type=1400 audit(1420073306.729:3): > avc: denied { execute } for pid=1 comm="init" name="init" dev="rootfs" > ino=9528 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file > permissive=1 > [ 3.940598 / 01-01 00:48:26.729][5] type=1400 audit(1420073306.729:4): > avc: denied { execute_no_trans } for pid=1 comm="init" path="/init" > dev="rootfs" ino=9528 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 > tclass=file permissive=1 > [ 3.942118 / 01-01 00:48:26.729][5] type=1400 audit(1420073306.729:5): > avc: denied { write } for pid=1 comm="init" name="/" dev="tmpfs" > (... lots of avc denial logs caused by init process in the kernel domain > > ----------------------------------------------------------------------------------------------------------- > > The /init file is not translated to init_exec. > > root@device:/ # ls -Z | grep init > ls -Z | grep init > -rwxr-x--- root root u:object_r:rootfs:s0 init > > Moreover, I could not translate the init file into init_exec using > restorecon command on the shell. > > root@device:/ # restorecon /init > restorecon /init > SELinux: Loaded file_contexts contexts from /file_contexts. > SELinux: Could not set context for /init: Read-only file system > restorecon: restorecon failed: /init: Read-only file system > 1|root@device:/ # > > The "Could not set context for" error log was printed in the > external/libselinux/src/android.c file. > > > ----------------------------------------------------------------------------------------------------------- > if (strcmp(oldsecontext, secontext) != 0) { > if (verbose) > selinux_log(SELINUX_INFO, > "SELinux: Relabeling %s from %s to %s.\n", > pathname, oldsecontext, secontext); > > if (!nochange) { > if (lsetfilecon(pathname, secontext) < 0) > goto err; // Error happened at here. lsetfilecon was > failed > } > } > > rc = 0; > > out: > freecon(oldsecontext); > freecon(secontext); > return rc; > > err: > selinux_log(SELINUX_ERROR, > "SELinux: Could not set context for %s: %s\n", > pathname, strerror(errno)); > rc = -1; > goto out; > > ----------------------------------------------------------------------------------------------------------- > > Is there any solution to translate the init process from kernel domain to > init domain in the init.cpp (not using the setcon script in the init.rc)? > > Thank you > Best regards > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > -- Nick Kralevich | Android Security | [email protected] | 650.214.4037
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
