On Thu, 2017-11-30 at 11:21 +0530, Iranna Badiger wrote: > Hi, > > I am getting some denials at the bootup which is mentioned below, > > type=1400 audit(1219320528.560:4): avc: denied { relabelfrom } > for pid=1 comm="init" name="Mypath.bin" dev="mmcblk0p16" ino=24922 > scontext=u:r:init:s0 tcontext=u:object_r:mypath:s0:c512,c768 > tclass=file permissive=0 > > 1. /Mypath/Mypath.bin is created by Platform_app process which has > label as below, > > MyService u:r:platform_app:s0:c512,c768 > > 2. On every boot in init i am doing restorecon_recursive on Mypath/ > dir. > > above denial is seen only some times, not every boot up. i am worried > whether to allow relabelfrom permission for init. > > 1. hoping to know why these denials are printed only sometimes, why > not every bootup. > > Can you please suggest how to go with this kind of denials.
Since you are performing a restorecon_recursive of this directory from init.rc, you need to allow init to relabel it. restorecon_recursive however only performs the file tree walk if file_contexts has changed since the last time, which is why you only see the denial some times. Normally, init is allowed relabelfrom to all file types with a few exceptions through a rule in init.te. If you assigned the file_type attribute to your mypath type, then this rule would allow relabeling. I think the larger issue here is that you say that a platform app process is creating a file outside of its own app data directory. That seems like a violation of Android's model.