Dear Nick The commit works. Thank you for your quick response and advise. I wondered how to change the label of a file in the ramfs.
Thank you Best regards 2015-05-12 13:40 GMT+09:00 Nick Kralevich <[email protected]>: > You are missing the following kernel patch: > https://android-review.googlesource.com/58360 (or whatever version is > appropriate for your kernel version). > > More generally, you should make an effort to stay up to date on patches in > the Android kernel tree. More and more changes are going to require running > a tip-of-tree kernel from Android's common kernel tree. > > On Mon, May 11, 2015 at 9:23 PM, Jaejyn Shin <[email protected]> > wrote: > >> Dear SEAndroid developer >> >> I downloaded the recent aosp source and download boot.img and system.img >> into my device. >> >> But the init domain is not translated to init domain, it is still in the >> kernel domain. >> >> I found some error logs in the kernel log. >> >> >> ----------------------------------------------------------------------------------------------------------- >> [ 3.937742 / 01-01 00:48:26.729][5] init: (Initializing SELinux >> non-enforcing took 0.15s.) >> [ 3.940387 / 01-01 00:48:26.729][5] init: SELinux: Could not set >> context for /init: Operation not supported on transport endpoint >> [ 3.940404 / 01-01 00:48:26.729][5] init: restorecon failed: Operation >> not supported on transport endpoint >> [ 3.940473 / 01-01 00:48:26.729][5] type=1400 audit(1420073306.729:3): >> avc: denied { execute } for pid=1 comm="init" name="init" dev="rootfs" >> ino=9528 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file >> permissive=1 >> [ 3.940598 / 01-01 00:48:26.729][5] type=1400 audit(1420073306.729:4): >> avc: denied { execute_no_trans } for pid=1 comm="init" path="/init" >> dev="rootfs" ino=9528 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 >> tclass=file permissive=1 >> [ 3.942118 / 01-01 00:48:26.729][5] type=1400 audit(1420073306.729:5): >> avc: denied { write } for pid=1 comm="init" name="/" dev="tmpfs" >> (... lots of avc denial logs caused by init process in the kernel domain >> >> ----------------------------------------------------------------------------------------------------------- >> >> The /init file is not translated to init_exec. >> >> root@device:/ # ls -Z | grep init >> ls -Z | grep init >> -rwxr-x--- root root u:object_r:rootfs:s0 init >> >> Moreover, I could not translate the init file into init_exec using >> restorecon command on the shell. >> >> root@device:/ # restorecon /init >> restorecon /init >> SELinux: Loaded file_contexts contexts from /file_contexts. >> SELinux: Could not set context for /init: Read-only file system >> restorecon: restorecon failed: /init: Read-only file system >> 1|root@device:/ # >> >> The "Could not set context for" error log was printed in the >> external/libselinux/src/android.c file. >> >> >> ----------------------------------------------------------------------------------------------------------- >> if (strcmp(oldsecontext, secontext) != 0) { >> if (verbose) >> selinux_log(SELINUX_INFO, >> "SELinux: Relabeling %s from %s to %s.\n", >> pathname, oldsecontext, secontext); >> >> if (!nochange) { >> if (lsetfilecon(pathname, secontext) < 0) >> goto err; // Error happened at here. lsetfilecon was >> failed >> } >> } >> >> rc = 0; >> >> out: >> freecon(oldsecontext); >> freecon(secontext); >> return rc; >> >> err: >> selinux_log(SELINUX_ERROR, >> "SELinux: Could not set context for %s: %s\n", >> pathname, strerror(errno)); >> rc = -1; >> goto out; >> >> ----------------------------------------------------------------------------------------------------------- >> >> Is there any solution to translate the init process from kernel domain to >> init domain in the init.cpp (not using the setcon script in the init.rc)? >> >> Thank you >> Best regards >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. >> > > > > -- > Nick Kralevich | Android Security | [email protected] | 650.214.4037 >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
