On 05/25/2016 08:08 AM, Inamdar Sharif wrote: > Hi Guys, > > > > I am getting the following denials and kernel panic while enabling > SELinux on k4.4 > > > > <snip> > > [ 4.402909] init: init started! > > [ 4.413108] SELinux: Android master kernel running Android M policy > in compatibility mode. > > [ 4.426907] SELinux: Permission module_load in class system not > defined in policy.
For module_load, you need this change for policy: https://android-review.googlesource.com/#/c/213981/ > > [ 4.434937] SELinux: Class netlink_iscsi_socket not defined in policy. > > [ 4.441594] SELinux: Class netlink_fib_lookup_socket not defined in > policy. > > [ 4.448697] SELinux: Class netlink_connector_socket not defined in > policy. > > [ 4.455667] SELinux: Class netlink_netfilter_socket not defined in > policy. > > [ 4.462666] SELinux: Class netlink_generic_socket not defined in policy. > > [ 4.469468] SELinux: Class netlink_scsitransport_socket not defined > in policy. > > [ 4.476813] SELinux: Class netlink_rdma_socket not defined in policy. > > [ 4.483343] SELinux: Class netlink_crypto_socket not defined in policy. For the new netlink classes, you need this change from policy: https://android-review.googlesource.com/#/c/151750/ > > [ 4.490120] SELinux: the above unknown classes and permissions will > be denied > > [ 4.545590] audit: type=1403 audit(1464177814.780:2): policy loaded > auid=4294967295 ses=4294967295 > > [ 4.555021] audit: type=1404 audit(1464177814.792:3): enforcing=1 > old_enforcing=0 auid=4294967295 ses=4294967295 > > [ 4.584035] audit: type=1400 audit(1464177814.820:4): avc: denied { > write } for pid=1 comm="init" > path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="rootfs" > ino=9275 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 > tclass=chr_file permissive=0 The path above decodes to /dev/__kmsg__ (deleted). The fact that it has the rootfs type means you didn't have a /dev mounted before it was created? > > [ 4.616270] audit: type=1400 audit(1464177814.852:5): avc: denied { > read write } for pid=1 comm="init" > path=2F6465762F5F5F6E756C6C5F5F202864656C6574656429 dev="rootfs" > ino=9274 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 > tclass=chr_file permissive=0 > > [ 4.639288] audit: type=1400 audit(1464177814.872:6): avc: denied { > read write } for pid=1 comm="init" > path=2F6465762F5F5F6E756C6C5F5F202864656C6574656429 dev="rootfs" > ino=9274 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 > tclass=chr_file permissive=0 > > [ 4.662281] audit: type=1400 audit(1464177814.900:7): avc: denied { > read write } for pid=1 comm="init" > path=2F6465762F5F5F6E756C6C5F5F202864656C6574656429 dev="rootfs" > ino=9274 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 > tclass=chr_file permissive=0 > > [ 4.686902] audit: type=1400 audit(1464177814.920:8): avc: denied { > create } for pid=1 comm="init" name="__kmsg__" scontext=u:r:init:s0 > tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=0 > > [ 4.704615] audit: type=1400 audit(1464177814.940:9): avc: denied { > create } for pid=1 comm="init" name="__kmsg__" scontext=u:r:init:s0 > tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=0 > > [ 4.722262] audit: type=1400 audit(1464177814.960:10): avc: denied > { create } for pid=1 comm="init" name=".booting" scontext=u:r:init:s0 > tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 > > [ 4.739943] Kernel panic - not syncing: Attempted to kill init! > exitcode=0x00000100 > > </snip> > > > > I am using the AOSP kernel 4.4 > https://android.googlesource.com/kernel/common/+/android-4.4 > > > > > > Also one more issue which I am facing that I am not able to change the > mode to permissive mode. > > I tried adding “BOARD_KERNEL_CMDLINE := androidboot.selinux=permissive” > but no effect. Where did you add the variable? Is it being overridden elsewhere in another .mk file? Is this a -userdebug or -eng build? Are you using AOSP master or a particular release? > > > > Am I missing any kernel changes which can solve this issue?? _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
