On Wed, 2012-03-07 at 08:57 -0500, Subramani Venkatesh wrote: > Hi Stephen, > > Thanks for the response, my comments are inlined > > On Wed, Mar 7, 2012 at 8:36 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On Wed, 2012-03-07 at 08:18 -0500, Subramani Venkatesh wrote: > >> Hi, > >> Trying to execute CTS on SEAndroid with security enforce, but I am not > >> successful getting it working, it crashes at the very beginning with > >> an exeception, is anyone else seeing the same issue? > > > > First, did you make sure that you had no avc messages before going into > > enforcing mode and even trying to run the CTS? adb shell dmesg | grep > > avc should yield no output. > <Subbu>: I fixed most of it, they were couple of them missing, I will > fix them and try again. > > > > Second, make sure you can run the CTS in permissive mode without any > > difficulties as your baseline. > <Subbu>: Yes CTS executes in permissive mode without any issues. > > > > Third, make sure you enable the android_cts policy boolean before > > running the CTS. If you have configured the CTS to not reboot the > > device (set maxTestCount to -1 in repository/host_config.xml), then you > > can just do this once via adb shell su 0 setsebool android_cts=1. > > Otherwise, if you want to allow periodic reboots during the CTS, you > > need to add setsebool android_cts=1 and setenforce 1 to your init.rc or > > init.<board>.rc file so that it happens on each boot. > <Subbu>: I did enable android_cts_policy boolean, I shall try changed > my init.rc file to setenforce 1 all the time. If you can run the CTS while in permissive mode, then you should do that again (leaving it in permissive mode, with android_cts=1) and collect up the denials. adb shell su 0 cat /proc/kmsg > dmesg.txt You can then add any necessary rules to cts.te under the boolean. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
