On 03/08/2018 12:05 PM, kiran mardi wrote: > Hi Stephen, > > Please find my response inline. > > Regards, > Kiran Mardi > > On Thu, Mar 8, 2018 at 8:56 PM, Stephen Smalley <s...@tycho.nsa.gov > <mailto:s...@tycho.nsa.gov>> wrote: > > Is this on AOSP master or a particular release branch? > [Kiran]: it is particular release branch Android N.
Which one? > > > > Is this occurring on a clean install or on an upgrade from a previous > version? > > [Kiran]: It is upgrade from previous version. Which previous version, and was SELinux enabled in that version? > There should be a recursive restorecon by init.rc of /data already from > post-fs-data which should label everything. > [Kiran]: yes, from my archive the restorecon is part of init.rc but it is > not recursive. is this the root cause? > > 349 > <http://2k16-xref.tpvision.com:8080/source/xref/MTK_N_NEWSTRUCT/android/n-base/system/core/rootdir/init.rc#349> > # We restorecon /data in case the userdata partition has been reset. 350 > <http://2k16-xref.tpvision.com:8080/source/xref/MTK_N_NEWSTRUCT/android/n-base/system/core/rootdir/init.rc#350> > restorecon /data That one is just to fix the label on the top directory upon a reset of userdata; if you look further down in the init.rc file you should find this line: # Set SELinux security contexts on upgrade or policy update. restorecon_recursive /data It is there in AOSP's nougat-mr2.3-release branch, for example. > > > > Is there perhaps an invalid context in your file_contexts configuration > for these directories? > Does it pass checkfc validation against your policy file? > [Kiran]: no there are no invalid file_contexts and never got any > compilation error. > > > > What does a restorecon -nv /data/misc/dhcp report from an adb shell? > [Kiran]: will get back on the result. > > > > On 03/08/2018 10:14 AM, kiran mardi wrote: > > some more data to the below issue. below are the folders which have > become unlabeled dont know the relation though. > > > > drwxrwxr-x 2 dhcp dhcp u:object_r:unlabeled:s0 > 24576 2013-03-30 16:44 dhcp > > drwxrwx--- 2 system system u:object_r:unlabeled:s0 > 24576 1995-09-25 03:39 ethernet > > drwx------ 2 media media u:object_r:unlabeled:s0 > 24576 1995-09-25 03:39 media > > drwxrwxr-x 2 system cache u:object_r:unlabeled:s0 > 24576 2013-10-19 10:47 onehelp > > drwxrwxr-x 2 root root u:object_r:unlabeled:s0 > 24576 1995-09-25 03:39 perfprofd > > drwxrwx--x 3 root root u:object_r:unlabeled:s0 > 24576 2000-01-01 16:05 user > > drwx------ 2 root root u:object_r:unlabeled:s0 > 24576 1995-09-25 03:39 vold > > > > > > On Thu, Mar 8, 2018 at 7:13 PM, kiran mardi <mardiki...@gmail.com > <mailto:mardiki...@gmail.com> <mailto:mardiki...@gmail.com > <mailto:mardiki...@gmail.com>>> wrote: > > > > Hi All, > > > > In one of our set we are seeing /data/misc/netd, keystore, user as > unlabeled (dont know why it has become unlabeled). Since it is google AOSP > module I am expecting restorecon should be part of AOSP code on these folder. > > > > =========== > > [Wed Mar 07 20:20:23.103 2018] [ 19.018081] type=1400 > audit(946742413.155:43): avc: denied { unlink } for pid=1146 comm="netd" > name="netd_pid" dev="mmcblk0p7" ino=406433 scontext=u:r:netd:s0 > tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0 > > > > [Wed Mar 07 20:20:23.103 2018] [ 19.034844] type=1400 > audit(946742413.160:44): avc: denied { setattr } for pid=1161 comm="installd" > name="0" dev="mmcblk0p7" ino=407130 scontext=u:r:installd:s0 > tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0 > > > > [Wed Mar 07 20:20:29.397 2018] [ 25.229311] type=1400 > audit(946742419.495:47): avc: denied { write } for pid=1146 comm="netd" > name="*rt_tables*" dev="mmcblk0p7" ino=406432 scontext=u:r:netd:s0 > tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0 > > > > [Wed Mar 07 20:20:29.425 2018] [ 25.256023] type=1400 > audit(946742419.520:48): avc: denied { write } for pid=1146 > comm="Binder:1146_2" name="*netd_pid*" dev="mmcblk0p7" ino=406433 > scontext=u:r:*netd*:s0 tcontext=u:object_r:unlabeled:s0 tclass=file > permissive=0 > > ========= > > below folders are getting unlabeled. > > > > /data/misc/keystore > > data/misc/netd > > data/misc/user > > > > what may be the reason for this unlabeled? > > > > Is restorecon -R in init.rc file for these folder is the solution? > want to know the real reason. > > > > Please help > > > > -- > > regards, > > kiran mardi > > > > > > > > > > -- > > regards, > > kiran mardi > > > > > -- > regards, > kiran mardi
