On 05/25/2016 09:51 AM, Inamdar Sharif wrote: > > From: Stephen Smalley [mailto:[email protected]] > Sent: Wednesday, May 25, 2016 6:43 PM > To: Inamdar Sharif; [email protected] > Subject: Re: SELinux failing with kernel 4.4 (Kernel panic) > > On 05/25/2016 08:38 AM, Inamdar Sharif wrote: >>>>> [ 4.584035] audit: type=1400 audit(1464177814.820:4): avc: denied { >>>>> write } for pid=1 comm="init" >>>>> path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="rootfs" >>>>> ino=9275 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 >>>>> tclass=chr_file permissive=0 >>>> >>>> The path above decodes to /dev/__kmsg__ (deleted). The fact that it has >>>> the rootfs type means you didn't have a /dev mounted before it was created? >>>> >>> >>> I am just changing the kernel. Rest all is same. SELinux works fine with >>> 3.18 . Is this some issue in init?? >> >> system/core/init/init.cpp does this: > > if (is_first_stage) { >> mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755"); before it >> does: >> open_devnull_stdio(); >> klog_init(); >> >> and system/core/libcutils/klog.c:klog_init() does the /dev/__kmsg__ node >> creation. >> >> So you should have a tmpfs mount on /dev, and thus /dev/__kmsg__ should be >> labeled tmpfs, and init.te has: >> allow init tmpfs:chr_file create_file_perms; >> >> So, unless your kernel config doesn't enable TMPFS, I'm not sure why you >> would end up with a rootfs /dev/__kmsg__. >> >> I guess that's an interesting question - how does your .config differ >> between 4.4 and 3.18? >> > > Yes in 4.4 CONFIG_TMPFS is not enabled.
Ok, I assume that was just an oversight on your part? Are you generating your kernel config as per kernel/common/android/configs/README so that it includes the base and recommended settings? Looks like TMPFS ought to be moved to android-base.cfg since it is required by init. And maybe init ought to be checking the return values of mount() calls... > >>>>> Also one more issue which I am facing that I am not able to change >>>>> the mode to permissive mode. >>>>> >>>>> I tried adding “BOARD_KERNEL_CMDLINE := androidboot.selinux=permissive” >>>>> but no effect. >>>> >>>> Where did you add the variable? Is it being overridden elsewhere in >>>> another .mk file? >>>> >>> >>> I have added this variable in BoardConfig.mk. Is there any other way to do >>> it?? >> >> I'd expect there to already be a BOARD_KERNEL_CMDLINE definition somewhere >> in your BoardConfig.mk file (or BoardConfigCommon.mk, or another .mk file >> that gets included). So I would check to see if there are any such >> definitions in your device or >vendor trees and make sure that the >> definition you added isn't just being overridden by another. >> Usually you would append androidboot.selinux=permissive to an existing >> BOARD_KERNEL_CMDLINE definition. >> > > I tried using "+=" but still the same. Using + should take effect right?? It depends on whether there is a subsequent definition in the same file or another file that does a := and thereby clobbers the definition entirely. grep -r BOARD_KERNEL_CMDLINE device/<vendor>/<product> to see if you have it defined anywhere. Also check for any includes of other .mk files from outside of your device tree. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
