On Tue, Mar 13, 2018 at 11:45 PM, kiran mardi <mardiki...@gmail.com> wrote:
> Hi Stephen,
>
> Please correct me if I am wrong.
> 1. restorecon_recurssive /data in system/core/rootdir/init.rc will not
> run/apply on every bootup?
No, as Stephen stated before, and I quote, "this is based
on a separate security.restorecon_last xattr set on the /data directory with
the SHA1 hash of the /file_contexts.bin file"
This is for performance reasons, no need to run a costly recursive restorecon
if the file_contexts.bin file hasn't changed. But, if their was a bug
in this feature,
it possibly could cause it not to run.
> expectation is it should be running on every bootup(unlabeled issue
> should be solved).
>
> 2. Looks like the issue is reproduce when we upgrade from M to N. I see the
> change of restorecon_recurssive is already part of M as well.
>
> can this issue occur if the upgrade is partial or something?
I've only ever seen this when you're attempting to access something
before the trigger. This restorecon happens on the post-fs-data
trigger IIRC. Which (obviously) happens after the data partition is decrypted
and mounted.
Considering you saying it's not 100% reproducible,
are you racing the restorecon_recursive?
>
> On Fri, Mar 9, 2018 at 9:38 PM, kiran mardi <mardiki...@gmail.com> wrote:
>>
>> Hi Stephen,
>>
>> The issue I am mentioning is not 100% reproducible. We are seeing this
>> very rarely. So don't know how to get this reproduce. Anyway will try to get
>> more details on the issue and get back to u.
>>
>> Was also thinking what else can be added to address this.
>>
>> Thanks for your help.
>>
>> On 09-Mar-2018 6:41 PM, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
>>>
>>> On 03/09/2018 02:55 AM, kiran mardi wrote:
>>> > >>>>>>>>sh-3.2# toybox restorecon -nv /data/misc/dhcp
>>> >
>>> > [ 158.754324] type=1400 audit(946742542.500:16): avc: denied { search
>>> > } for pid=983 comm="toybox" name="security" dev="mmcblk0p7" ino=186945
>>> > scontext=u:r:shell:s0 tcontext=u:object_r:security_file:s0 tclass=dir
>>> > permissive=1
>>> >
>>> > SELinux: Loaded file_contexts contexts from /file_contexts.bin.[
>>> > 158.776446] type=1400 audit(946742542.520:17): avc: denied { getattr } for
>>> > pid=983 comm="toybox" path="/data/misc/dhcp" dev="mmcblk0p7" ino=406419
>>> > scontext=u:r:shell:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
>>> > permissive=1
>>> >
>>> >
>>> >
>>> > SELinux: Relabeling /data/misc/dhcp from u:object_r:unlabeled:s0 to
>>> > u:object_r:dhcp_data_file:s0.
>>>
>>> Ok, so you have a valid context for /data/misc/dhcp in your
>>> file_contexts, which should have been used if the restorecon_recursive /data
>>> executed.
>>>
>>> Did your file_contexts configuration change between the old and new
>>> versions? restorecon_recursive /data will skip the tree walk if
>>> file_contexts has not changed since the last time it was run; this is based
>>> on a separate security.restorecon_last xattr set on the /data directory with
>>> the SHA1 hash of the /file_contexts.bin file.
>>>
>>> Also, what was the context on /data/misc/dhcp in the prior version from
>>> which you are upgrading? Was it the same or different? If different, what
>>> was it?
>>>
>
>
>
> --
> regards,
> kiran mardi
