Yes the app is trying to access it own app data directory. What more information you need so that I can gather that?? Also how to get more info??
What I think that when we do upgrade it does not label the app directory again which leads to denial. Thanks. -----Original Message----- From: Stephen Smalley [mailto:[email protected]] Sent: Wednesday, December 02, 2015 8:42 PM To: Inamdar Sharif; [email protected] Cc: Nick Kralevich Subject: Re: MLS constraints blocking untrusted app to access app_data_file On 12/02/2015 09:35 AM, Inamdar Sharif wrote: > Steps are: > > 1) Install the app on the device. > 2)Move the app to the sdcard. > 3)Try to run the app from the sdcard.----> Failed. > > This happens after upgrading to Android M. I don't think I can test that, as the only devices I have that run M are Nexus and have no real SDcard support. The question remains as to why the app data directory is not being labeled with the appropriate categories That's the bug - the data directory needs to be labeled consistently with the app. I assume btw that this is the app trying to access its own app data directory; I can't tell that from only the information you provided since you omitted any identifying information from the denial (and fully determining it might require syscall audit or other logging). > > Thanks. > > -----Original Message----- > From: Stephen Smalley [mailto:[email protected]] > Sent: Wednesday, December 02, 2015 7:51 PM > To: Inamdar Sharif; [email protected] > Subject: Re: MLS constraints blocking untrusted app to access > app_data_file > > On 12/02/2015 12:37 AM, Inamdar Sharif wrote: >> Hi, >> >> I am getting the below avc denied for almost every untrusted app >> >> type=1400 audit(0.0:1078): avc: denied { search } for name="#" dev="#" >> ino=# scontext=u:r:untrusted_app:s0:c512,c768 >> tcontext=u:object_r:app_data_file:s0 tclass=dir permissive=0 >> >> Usecase: Apps on SDCard try to access their files. >> >> I know the reason about why this is happening: >> >> 1)untrusted_app and app_data_file has different security level >> >> 2)untrusted_app is not mlstrustedsubject >> >> 3)app_data_file is not mlstrustedobject >> >> But I am not sure how I can solve this issue. >> >> Please let me know any pointers on how to solve this issue. >> >> Thanks. > > Can you provide step-by-step instructions for reproducing the denial? > > Why is the directory not labeled with the category set? > What does ls -Z of the directory show? > > > ---------------------------------------------------------------------- > ------------- This email message is for the sole use of the intended > recipient(s) and may contain confidential information. Any > unauthorized review, use, disclosure or distribution is prohibited. > If you are not the intended recipient, please contact the sender by > reply email and destroy all copies of the original message. > ---------------------------------------------------------------------- > ------------- > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
