Hello everyone,
We have applied all the suggested patches mentioned below but as Sameer already mentioned we are still getting error messages while booting, after which system automatically restarts. We have tried debugging the kernel itself and found the following: it starts reading file /sepolicy in external/libselinux/src/android.c in function selinux_android_load_policy_helper in device/avaya/brio-kernel/security/selinux/ss/services.c calls security_load_policy which in device/avaya/brio-kernel/security/selinux/ss/policydb.c calls policydb_read which in the same file with function pointer calls class_read which finally in the same file calls read_cons_helper in which it goes through the default switch clause which returns -EINVAL because e->expr_type is 64 which is defined in device/avaya/brio-kernel/security/selinux/ss/constraint.h as #define CEXPR_L1H2 64 /* low level 1 vs. high level 2 */ We are using Linux 3.10.65 . Can anyone please help us with this error? Regards, Milan. ________________________________ From: Sameer Joshi <[email protected]> Sent: Thursday, August 4, 2016 4:12 PM To: Jeffrey Vander Stoep Cc: William Roberts; [email protected]; Aksic, Milan Subject: Re: Regarding enabling selinux on Android Hi , After adding these commits , the selinux still fails to initialize with a new error: init: init started! init: SELinux: Could not load policy: Invalid argument init: failed to load policy: Invalid argument init: Security failure; rebooting into recovery mode... Please let me know if there is some additional change needed to support this. Regards, Sameer Joshi On Tue, Aug 2, 2016 at 8:10 PM, Jeffrey Vander Stoep <[email protected]<mailto:[email protected]>> wrote: Confirmed that those are the correct patches. On Mon, Aug 1, 2016 at 10:25 PM Sameer Joshi <[email protected]<mailto:[email protected]>> wrote: Thanks Bill. We are working on Marshmallow , so we need the old version 30 patches for kernel it seems. >From the email chain that was shared by Sharif , it seems following are the >patches required to be merged for Kernel version 3.10: c8c3cd48e44fe12a41cd20e46d36fcfe5a759fd7 security: lsm_audit: add ioctl specific auditing 8daca972e410f42a4fc1fe2de804c50013b24a28 SELinux: per-command whitelisting of ioctls c9a8571249fa3a55a0490bd571eaf0cea097fab0 SELinux: use deletion-safe iterator to free list 8cdfb356b51e29494ca0b9e4e86727d6f841a52d SELinux: ss: Fix policy write for ioctl operations Can anyone confirm if these are the final patches needed for Kernel 3.10? Regards, Sameer Joshi On Tue, Aug 2, 2016 at 9:50 AM, William Roberts <[email protected]<mailto:[email protected]>> wrote: On Aug 1, 2016 04:17, "Sameer Joshi" <[email protected]<mailto:[email protected]>> wrote: > > Hi All, > > We are trying to enable SELinux in kernel and have defined following options > in the config file. > > CONFIG_SECURITY_SELINUX=y > CONFIG_SECURITY_SELINUX_BOOTPARAM=y > > Command line options for kernel have "selinux=1 security=selinux" set. > > However during boot time, we get following error: > > [ 5.549941] SELinux: policydb version 30 does not match my version range > 15-28 > > [ 5.557486] init: SELinux: Could not load policy: Invalid argument > > [ 5.563990] init: failed to load policy: Invalid argument > > [ 5.569413] init: Security failure; rebooting into recovery mode... > > > Can someone help us what this error means? Any help in fixing this would be > appreciated. > You're kernel is not up to date. You need the patches from Androids kernel common tree. Bear in mind that their are two version 30s, and you'll need to have the right one. Marshmallow uses the old version 30. Newer releases use the new and upstream merged version 30. I don't have the patch links handy but I'm pretty sure jeffv or nnk at Google posted them, check the mail archives. > > Regards, > > Sameer Joshi > > > _______________________________________________ > Seandroid-list mailing list > [email protected]<mailto:[email protected]> > To unsubscribe, send email to > [email protected]<mailto:[email protected]>. > To get help, send an email containing "help" to > [email protected]<mailto:[email protected]>. _______________________________________________ Seandroid-list mailing list [email protected]<mailto:[email protected]> To unsubscribe, send email to [email protected]<mailto:[email protected]>. To get help, send an email containing "help" to [email protected]<mailto:[email protected]>.
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
