I have increased the log level and now i see something! root@hammerhead:/data/security/current # setprop sys.init_log_level 8 root@hammerhead:/data/security/current # setprop selinux.reload_policy 1 root@hammerhead:/data/security/current # dmesg | grep 'SELinux' <6>[ 8159.046198] init: SELinux: Attempting to reload policy files <4>[ 8159.064590] SELinux: Loaded file_contexts from /file_contexts <6>[ 8159.064945] init: SELinux: Loaded property contexts from /property_contexts <6>[ 8296.911908] init: SELinux: Attempting to reload policy files <4>[ 8296.932916] SELinux: Loaded file_contexts from /file_contexts <6>[ 8296.935108] init: SELinux: Loaded property contexts from /property_contexts
it seems however that a part of the output is still missing. Is it maybe because the policies i have compiled affect only a very small part of the system? From: [email protected] To: [email protected]; [email protected] Subject: RE: Cannot trigger policy reload Date: Wed, 13 Jan 2016 16:08:12 +0100 I have the following files in /data/security/current file_contextsgenfs_contextsinitial_sid_contextsmac_permission.xmlport_contextsproperty_contextsseapp_contextsselinux_versionsepolicyservice_contexts i'm using an adb shell started with./adb root./adb shellTriggering reload by typing in the adb shellsetprop selinux.reload_policy 1after that i usedmesg | grep 'SELinux'but nothing is displayed. Precedently, i saw the permission denied message when the adb deamon was not running as root > Subject: Re: Cannot trigger policy reload > To: [email protected]; [email protected] > From: [email protected] > Date: Wed, 13 Jan 2016 09:48:59 -0500 > > On 01/13/2016 09:27 AM, Federico Colangelo wrote: > > Hi > > > > I am using 5.0 (lollipop), the system is a custom build but no > > parameters have been changed. > > How are you testing? For example, if you do this: > adb shell > su > mkdir /data/security/current > cp /sepolicy /*_contexts /selinux_version > /system/etc/security/mac_permissions.xml /data/security/current > setprop selinux.reload_policy 1 > > You should get output in dmesg. > > On 6.0, I get the following output because the default policy no longer > allows reloading policy, even from init: > [3052229.843161] init: SELinux: Could not load policy: Permission denied > [3052229.843255] type=1400 audit(13981262.321:6): avc: denied { > load_policy } for pid=1 comm="init" scontext=u:r:init:s0 > tcontext=u:object_r:kernel:s0 tclass=security permissive=0 > [3052229.843290] init: Failed to reload policy > > On 5.1.1, I get the following output from the kernel in dmesg, showing > that the reload occurred: > <7>[ 140.808129] SELinux: 2048 avtab hash slots, 4630 rules. > <7>[ 140.809228] SELinux: 2048 avtab hash slots, 4630 rules. > <7>[ 140.809243] SELinux: 1 users, 2 roles, 454 types, 0 bools, 1 > sens, 1024 cats > <7>[ 140.809251] SELinux: 87 classes, 4630 rules > <38>[ 140.833085] type=1403 audit(66596379.100:5): policy loaded > auid=4294967295 ses=4294967295 > > AFAIK, 5.0 does not differ from 5.1.1 in this regard, but I don't have a > 5.0 build readily available to test. > > > > > > Subject: Re: Cannot trigger policy reload > > > To: [email protected]; [email protected] > > > From: [email protected] > > > Date: Wed, 13 Jan 2016 09:25:51 -0500 > > > > > > On 01/13/2016 06:08 AM, Federico Colangelo wrote: > > > > Hi list, > > > > > > > > I am trying to trigger a policy reload on my nexus 5 > > > > following the instructions found in > > > > http://seandroid.bitbucket.org/Policy.html > > > > However the policy reload does not trigger (i cannot find any log about > > > > it running dmesg from adb). > > > > The adb deamon is running as root and i have tried to place the policy > > > > files in different directories > > > > ( i.e. /data/security/ , /data/security/current/ ) without success. > > > > What is wrong with the procedure? > > > > > > What version of Android are you running? The policy reload mechanism was > > > disabled by policy in 6.0, although one can certainly allow it if > > > building your own ROM. > > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
