<snip> > > > Building for Hikey (Android) with a type permissive statement on > > > hci_attach, yields this error: > > > > > > /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -c 30 > > > out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/pla > > > t_ > > > policy_n > > > vr.cil > > > out/target/product/hikey/obj/ETC/mapping_sepolicy.cil_intermediates/ > > > ma > > > pping > > > /current.cil > > > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/ > > > no > > > nplat_ > > > policy_nvr.cil -o > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp > > > ) && (out/host/linux-x86/bin/sepolicy-analyze > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp > > > permissive > > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.per > > > mi ssived omains ) && (if [ \"userdebug\" = \"user\" -a -s > > > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permi > > ssived > > > omains ]; then echo \"==========\" 1>&2; echo > > \"ERROR: > > > permissive domains not allowed in user builds\" 1>&2; echo > > \"List of > > > invalid domains:\" 1>&2; cat > > > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permi > > ssived > > > omains 1>&2; exit 1; fi ) && (mv > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy )" > > > Symbol not inside parenthesis at line 1239 of > > > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/ > > > no > > > nplat_ > > > policy_nvr.cil > > > > > > To reproduce apply this patch to device/linaro/hikey: > > > diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te index > > > d87f444..1990d54 100644 > > > --- a/sepolicy/hci_attach.te > > > +++ b/sepolicy/hci_attach.te > > > @@ -1,6 +1,8 @@ > > > type hci_attach, domain; > > > type hci_attach_exec, exec_type, file_type; > > > > > > +permissive hci_attach; > > > + > > > init_daemon_domain(hci_attach) > > > > > > allow hci_attach kernel:system module_request; > > > > > > and build sepolicy > > > > > > make -j4 sepolicy > > > > > > I have no idea what's hgappening, but the statement looks different > > > than all the other CIL statements: > > > > > > Failing CIL snippet: > > > > > > (type hci_attach) > > > (roletype object_r hci_attach) > > > CIL_TYPEPERMISSIVE (type hci_attach_exec) (roletype object_r > > > hci_attach_exec) (type hci_attach_tmpfs) > > > > > > > > > > Some of things call routines like cil_write_roletype() in write_ast.c, > > but some just frpintf(CIL_<CAPS>). Are these features not implemented? > > > > If I apply this hack it works: > > diff --git a/libsepol/cil/src/cil_write_ast.c > > b/libsepol/cil/src/cil_write_ast.c > > index 4ebda6a..8a25680 100644 > > --- a/libsepol/cil/src/cil_write_ast.c > > +++ b/libsepol/cil/src/cil_write_ast.c > > @@ -1255,7 +1255,7 @@ int __cil_write_node_helper(struct cil_tree_node > > *node, uint32_t *finished, void > > fprintf(cil_out, "CIL_TYPEBOUNDS "); > > break; > > case CIL_TYPEPERMISSIVE: > > - fprintf(cil_out, "CIL_TYPEPERMISSIVE "); > > + fprintf(cil_out, "(typepermissive hci_attach)\n"); > > break; > > case CIL_TYPEATTRIBUTE: > > > > The output looks ok from sepolicy-analyze: > > > > $ sepolicy-analyze $OUT/root/sepolicy permissive crash_dump su > > hci_attach > > FYI This does not affect upstream SE Linux, it looks like Dan Cashman over at > Google authored the file, So ill drop common selinux mailing listr on further > responses. I'll take a look at fixing this today...
<snip> That was easy, patch here: https://android-review.googlesource.com/#/c/328669/ _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
