On Wed, 2017-12-06 at 09:11 -0500, Stephen Smalley wrote: > On Thu, 2017-11-30 at 11:21 +0530, Iranna Badiger wrote: > > Hi, > > > > I am getting some denials at the bootup which is mentioned below, > > > > type=1400 audit(1219320528.560:4): avc: denied { relabelfrom } > > for pid=1 comm="init" name="Mypath.bin" dev="mmcblk0p16" ino=24922 > > scontext=u:r:init:s0 tcontext=u:object_r:mypath:s0:c512,c768 > > tclass=file permissive=0 > > > > 1. /Mypath/Mypath.bin is created by Platform_app process which has > > label as below, > > > > MyService u:r:platform_app:s0:c512,c768 > > > > 2. On every boot in init i am doing restorecon_recursive on Mypath/ > > dir. > > > > above denial is seen only some times, not every boot up. i am > > worried > > whether to allow relabelfrom permission for init. > > > > 1. hoping to know why these denials are printed only sometimes, why > > not every bootup. > > > > Can you please suggest how to go with this kind of denials. > > Since you are performing a restorecon_recursive of this directory > from > init.rc, you need to allow init to relabel it. restorecon_recursive > however only performs the file tree walk if file_contexts has changed > since the last time, which is why you only see the denial some > times. > Normally, init is allowed relabelfrom to all file types with a few > exceptions through a rule in init.te. If you assigned the file_type > attribute to your mypath type, then this rule would allow relabeling. > > I think the larger issue here is that you say that a platform app > process is creating a file outside of its own app data > directory. That > seems like a violation of Android's model.
I guess the other question is whether you added an entry for /Mypath(/.*)? to file_contexts so that restorecon_recursive sets the context correctly.