Re: Cannot trigger policy reload

[Stephen Smalley]

On 01/13/2016 09:27 AM, Federico Colangelo wrote:
Hi
I am using 5.0 (lollipop), the system is a custom build but no
parameters have been changed.

How are you testing?  For example, if you do this:
adb shell
su
mkdir /data/security/current
cp /sepolicy /*_contexts /selinux_version 
/system/etc/security/mac_permissions.xml /data/security/current
setprop selinux.reload_policy 1

You should get output in dmesg.

On 6.0, I get the following output because the default policy no longer 
allows reloading policy, even from init:
[3052229.843161] init: SELinux:  Could not load policy:  Permission denied
[3052229.843255] type=1400 audit(13981262.321:6): avc: denied { 
load_policy } for pid=1 comm="init" scontext=u:r:init:s0 
tcontext=u:object_r:kernel:s0 tclass=security permissive=0
[3052229.843290] init: Failed to reload policy

On 5.1.1, I get the following output from the kernel in dmesg, showing 
that the reload occurred:
<7>[  140.808129] SELinux: 2048 avtab hash slots, 4630 rules.
<7>[  140.809228] SELinux: 2048 avtab hash slots, 4630 rules.
<7>[  140.809243] SELinux:  1 users, 2 roles, 454 types, 0 bools, 1 
sens, 1024 cats
<7>[  140.809251] SELinux:  87 classes, 4630 rules
<38>[  140.833085] type=1403 audit(66596379.100:5): policy loaded 
auid=4294967295 ses=4294967295

AFAIK, 5.0 does not differ from 5.1.1 in this regard, but I don't have a 
5.0 build readily available to test.


 > Subject: Re: Cannot trigger policy reload
 > To: f.col....@hotmail.it; seandroid-list@tycho.nsa.gov
 > From: s...@tycho.nsa.gov
 > Date: Wed, 13 Jan 2016 09:25:51 -0500
 >
 > On 01/13/2016 06:08 AM, Federico Colangelo wrote:
 > > Hi list,
 > >
 > > I am trying to trigger a policy reload on my nexus 5
 > > following the instructions found in
 > > http://seandroid.bitbucket.org/Policy.html
 > > However the policy reload does not trigger (i cannot find any log about
 > > it running dmesg from adb).
 > > The adb deamon is running as root and i have tried to place the policy
 > > files in different directories
 > > ( i.e. /data/security/ , /data/security/current/ ) without success.
 > > What is wrong with the procedure?
 >
 > What version of Android are you running? The policy reload mechanism was
 > disabled by policy in 6.0, although one can certainly allow it if
 > building your own ROM.


_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.