On Thu, 2017-11-30 at 11:21 +0530, Iranna Badiger wrote:
> Hi,
>
> I am getting some denials at the bootup which is mentioned below,
>
> type=1400 audit(1219320528.560:4): avc: denied { relabelfrom }
> for pid=1 comm="init" name="Mypath.bin" dev="mmcblk0p16" ino=24922
> scontext=u:r:init:s0 tcontext=u:object_r:mypath:s0:c512,c768
> tclass=file permissive=0
>
> 1. /Mypath/Mypath.bin is created by Platform_app process which has
> label as below,
>
> MyService u:r:platform_app:s0:c512,c768
>
> 2. On every boot in init i am doing restorecon_recursive on Mypath/
> dir.
>
> above denial is seen only some times, not every boot up. i am worried
> whether to allow relabelfrom permission for init.
>
> 1. hoping to know why these denials are printed only sometimes, why
> not every bootup.
>
> Can you please suggest how to go with this kind of denials.
Since you are performing a restorecon_recursive of this directory from
init.rc, you need to allow init to relabel it. restorecon_recursive
however only performs the file tree walk if file_contexts has changed
since the last time, which is why you only see the denial some times.
Normally, init is allowed relabelfrom to all file types with a few
exceptions through a rule in init.te. If you assigned the file_type
attribute to your mypath type, then this rule would allow relabeling.
I think the larger issue here is that you say that a platform app
process is creating a file outside of its own app data directory. That
seems like a violation of Android's model.
