Thanks Guys for your response. The problem was : After getting upgrade from L to M, restorecon runs at the first boot time. But, it's before SD card is mounted, and at the moment package info for apps on SD card is not available. So, data files for apps on SD card still have old seliux context. Which leads to the crashing of the apps on the sdcard.
The problem is resolved now. Thanks. -----Original Message----- From: Stephen Smalley [mailto:[email protected]] Sent: Thursday, December 03, 2015 1:07 AM To: Inamdar Sharif; [email protected] Cc: [email protected] Subject: Re: MLS constraints blocking untrusted app to access app_data_file On 12/02/2015 01:40 PM, Inamdar Sharif wrote: > Here is the logcat failure > > Unable to create files subdir /data/user/0/<package name>/cache > > Thanks. /data/user/0 is usually just a symlink to /data/data. The question is what is /data/data/<package name> pointing to? ls -l /data/data/<package name> > > Sent from my Android phone using Symantec TouchDown (www.symantec.com) > > -----Original Message----- > *From:* Stephen Smalley [[email protected]] > *Received:* Wednesday, 02 Dec 2015, 11:52PM > *To:* Inamdar Sharif [[email protected]]; > [email protected] [[email protected]] > *CC:* [email protected] [[email protected]] > *Subject:* Re: MLS constraints blocking untrusted app to access > app_data_file > > On 12/02/2015 01:17 PM, Inamdar Sharif wrote: >> It's data/data/<packagename> > > That's not on the sdcard, unless it is just a symlink there? > >> >> Sent from my Android phone using Symantec TouchDown (www.symantec.com >> <http://www.symantec.com>) >> >> -----Original Message----- >> *From:* Stephen Smalley [[email protected]] >> *Received:* Wednesday, 02 Dec 2015, 11:42PM >> *To:* Inamdar Sharif [[email protected]]; >> [email protected] [[email protected]] >> *CC:* [email protected] [[email protected]] >> *Subject:* Re: MLS constraints blocking untrusted app to access >> app_data_file >> >> On 12/02/2015 12:36 PM, Inamdar Sharif wrote: >>> I first moved the app to sdcard. >>> Then did the upgrade and then tried to run from sdcard. >>> >>> Thanks. >> >> What's the pathname prefix of the app data directory? >> e.g. they typically live in /data/data, /data/user/<N>, >> /mnt/expand/<UUID>/user/<N> or likewise with user_de instead of user. >> >>> >>> Sent from my Android phone using Symantec TouchDown >>> (<http://>www.symantec.com <http://www.symantec.com>) >>> >>> -----Original Message----- >>> *From:* Stephen Smalley [[email protected]] >>> *Received:* Wednesday, 02 Dec 2015, 9:52PM >>> *To:* Inamdar Sharif [[email protected]]; >>> [email protected] [[email protected]] >>> *CC:* Nick Kralevich [[email protected]] >>> *Subject:* Re: MLS constraints blocking untrusted app to access >>> app_data_file >>> >>> On 12/02/2015 11:01 AM, Inamdar Sharif wrote: >>>> Yes the app is trying to access it own app data directory. >>>> >>>> What more information you need so that I can gather that?? >>>> Also how to get more info?? >>>> >>>> What I think that when we do upgrade it does not label the app directory >>>> again which leads to denial. >>> >>> So, you moved the app data directory to SD before upgrading to M? >>> Or afterward? If afterward, did it have the correct label prior to moving >>> it? >>> >>> What's the path prefix of the app data directory? >>> >>>> >>>> Thanks. >>>> >>>> -----Original Message----- >>>> From: Stephen Smalley [mailto:[email protected]] >>>> Sent: Wednesday, December 02, 2015 8:42 PM >>>> To: Inamdar Sharif; [email protected] >>>> Cc: Nick Kralevich >>>> Subject: Re: MLS constraints blocking untrusted app to access >>>> app_data_file >>>> >>>> On 12/02/2015 09:35 AM, Inamdar Sharif wrote: >>>>> Steps are: >>>>> >>>>> 1) Install the app on the device. >>>>> 2)Move the app to the sdcard. >>>>> 3)Try to run the app from the sdcard.----> Failed. >>>>> >>>>> This happens after upgrading to Android M. >>>> >>>> I don't think I can test that, as the only devices I have that run M are >>>> Nexus and have no real SDcard support. >>>> >>>> The question remains as to why the app data directory is not being >>>> labeled with the appropriate categories That's the bug - the data >>>> directory needs to be labeled consistently with the app. I assume >>>> btw that this is the app trying to access its own appdata >>>> directory; I can't tell that from only the information you >>> provided since you omitted any identifying information from the >>> denial (and fully determining it might require syscall audit or other >>> logging). >>>> >>>>> >>>>> Thanks. >>>>> >>>>> -----Original Message----- >>>>> From: Stephen Smalley [mailto:[email protected]] >>>>> Sent: Wednesday, December 02, 2015 7:51 PM >>>>> To: Inamdar Sharif; [email protected] >>>>> Subject: Re: MLS constraints blocking untrusted app to access >>>>> app_data_file >>>>> >>>>> On 12/02/2015 12:37 AM, Inamdar Sharif wrote: >>>>>> Hi, >>>>>> >>>>>> I am getting the below avc denied for almost every untrusted app >>>>>> >>>>>> type=1400 audit(0.0:1078): avc: denied { search } for name="#" dev="#" >>>>>> ino=# scontext=u:r:untrusted_app:s0:c512,c768 >>>>>> tcontext=u:object_r:app_data_file:s0 tclass=dir permissive=0 >>>>>> >>>>>> Usecase: Apps on SDCard try to access their files. >>>>>> >>>>>> I know the reason about why this is happening: >>>>>> >>>>>> 1)untrusted_app and app_data_file has different security level >>>>>> >>>>>> 2)untrusted_app is not mlstrustedsubject >>>>>> >>>>>> 3)app_data_file is not mlstrustedobject >>>>>> >>>>>> But I am not sure how I can solve this issue. >>>>>> >>>>>> Please let me know any pointers on how to solve this issue. >>>>>> >>>>>> Thanks. >>>>> >>>>> Can you provide step-by-step instructions for reproducing the denial? >>>>> >>>>> Why is the directory not labeled with the category set? >>>>> What does ls -Z of the directory show? >>>>> >>>>> >>>>> ------------------------------------------------------------------ >>>>> ---- >>>>> ------------- This email message is for the sole use of the >>>>> intended >>>>> recipient(s) and may contain confidential information. Any >>>>> unauthorized review, use, disclosure or distribution is prohibited. >>>>> If you are not the intended recipient, please contact the sender >>>>> by reply email and destroy all copies of the original message. >>>>> ------------------------------------------------------------------ >>>>> ---- >>>>> ------------- >>>>> >>>>> _______________________________________________ >>>>> Seandroid-list mailing list >>>>> [email protected] >>>>> To unsubscribe, send email to [email protected]. >>>>> To get help, send an email containing "help" to >>>>> [email protected]. >>>>> >>>> >>>> >>> >> > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
