On Wed, 2017-12-06 at 09:11 -0500, Stephen Smalley wrote:
> On Thu, 2017-11-30 at 11:21 +0530, Iranna Badiger wrote:
> > Hi,
> >
> > I am getting some denials at the bootup which is mentioned below,
> >
> > type=1400 audit(1219320528.560:4): avc: denied { relabelfrom }
> > for pid=1 comm="init" name="Mypath.bin" dev="mmcblk0p16" ino=24922
> > scontext=u:r:init:s0 tcontext=u:object_r:mypath:s0:c512,c768
> > tclass=file permissive=0
> >
> > 1. /Mypath/Mypath.bin is created by Platform_app process which has
> > label as below,
> >
> > MyService u:r:platform_app:s0:c512,c768
> >
> > 2. On every boot in init i am doing restorecon_recursive on Mypath/
> > dir.
> >
> > above denial is seen only some times, not every boot up. i am
> > worried
> > whether to allow relabelfrom permission for init.
> >
> > 1. hoping to know why these denials are printed only sometimes, why
> > not every bootup.
> >
> > Can you please suggest how to go with this kind of denials.
>
> Since you are performing a restorecon_recursive of this directory
> from
> init.rc, you need to allow init to relabel it. restorecon_recursive
> however only performs the file tree walk if file_contexts has changed
> since the last time, which is why you only see the denial some
> times.
> Normally, init is allowed relabelfrom to all file types with a few
> exceptions through a rule in init.te. If you assigned the file_type
> attribute to your mypath type, then this rule would allow relabeling.
>
> I think the larger issue here is that you say that a platform app
> process is creating a file outside of its own app data
> directory. That
> seems like a violation of Android's model.
I guess the other question is whether you added an entry for
/Mypath(/.*)? to file_contexts so that restorecon_recursive sets the
context correctly.
