On Wed, Mar 7, 2012 at 6:40 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Wed, 2012-03-07 at 09:06 -0500, Stephen Smalley wrote:
> On Wed, 2012-03-07 at 08:57 -0500, Subramani Venkatesh wrote:
> > Hi Stephen,
> >
> > Thanks for the response, my comments are inlined
> >
> > On Wed, Mar 7, 2012 at 8:36 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > > On Wed, 2012-03-07 at 08:18 -0500, Subramani Venkatesh wrote:
> > >> Hi,
> > >> Trying to execute CTS on SEAndroid with security enforce, but I am not
> > >> successful getting it working, it crashes at the very beginning with
> > >> an exeception, is anyone else seeing the same issue?
> > >
> > > First, did you make sure that you had no avc messages before going into
> > > enforcing mode and even trying to run the CTS? adb shell dmesg | grep
> > > avc should yield no output.
> > <Subbu>: I fixed most of it, they were couple of them missing, I will
> > fix them and try again.
> > >
> > > Second, make sure you can run the CTS in permissive mode without any
> > > difficulties as your baseline.
> > <Subbu>: Yes CTS executes in permissive mode without any issues.
> > >
> > > Third, make sure you enable the android_cts policy boolean before
> > > running the CTS. If you have configured the CTS to not reboot the
> > > device (set maxTestCount to -1 in repository/host_config.xml), then you
> > > can just do this once via adb shell su 0 setsebool android_cts=1.
> > > Otherwise, if you want to allow periodic reboots during the CTS, you
> > > need to add setsebool android_cts=1 and setenforce 1 to your init.rc or
> > > init.<board>.rc file so that it happens on each boot.
> > <Subbu>: I did enable android_cts_policy boolean, I shall try changed
> > my init.rc file to setenforce 1 all the time.
>
> If you can run the CTS while in permissive mode, then you should do that
> again (leaving it in permissive mode, with android_cts=1) and collect up
> the denials.
>
> adb shell su 0 cat /proc/kmsg > dmesg.txt
>
> You can then add any necessary rules to cts.te under the boolean.
Just tried this myself, and I see that we'll need to make a few
adjustments to policy for the current CTS. Some of those will be made
unconditionally outside of the android_cts boolean, while others are
really only appropriate under test conditions and not production use.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.