On Tue, 2012-07-10 at 15:57 +0200, Michal Mašek wrote:
> Hi,
>
> I am trying to make our application operational under
> SEAndroid. Currently the application produces "open" and "execute"
> denials when it is loading its dynamic libraries from
> /data/data/APPDIR/lib directory:
>
> <5>[ 3913.711395] type=1400 audit(1341923463.083:9): avc: denied {
> open } for pid=1832 comm="t.circletech.cc" name="libsdl-1.2.so"
> dev=mmcblk0p12 ino=578446 scontext=u:r:untrusted_app:s0:c38
> tcontext=u:object_r:system_data_file:s0 tclass=file
>
> <5>[ 3913.711730] type=1400 audit(1341923463.083:10): avc: denied {
> execute } for pid=1832 comm="t.circletech.cc"
> path="/data/data/net.circletech.cc/lib/libsdl-1.2.so" dev=mmcblk0p12
> ino=578446 scontext=u:r:untrusted_app:s0:c38
> tcontext=u:object_r:system_data_file:s0 tclass=file
>
>
> My guess is that these libraries should have a different label. Such
> that the application is allowed to load them. But which one? And how to
> change it? I tried to change the policy (file_contexts), but it had no
> effect (it seems that files in the lib directory are relabeled during
> installation).
The /data/data/APPDIR directory should be labeled with the app_data_file
type (not system_data_file as in your avc denials above) and the same
category assigned to the app process (i.e. :c38 in the above denial).
The fact that it is instead system_data_file suggests that you installed
the app when not running SE Android and did not erase and reflash your
data partition. Or maybe you installed the app from the recovery
console?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
