On 07/10/2012 04:13 PM, Stephen Smalley wrote: > The /data/data/APPDIR directory should be labeled with the > app_data_file > type (not system_data_file as in your avc denials above) and the same > category assigned to the app process (i.e. :c38 in the above denial). The /data/data/APPDIR is labeled with the app_data_file type as you say it should be: # ls -lZ /data/data/ ... drwxr-x--x app_38 app_38 u:object_r:app_data_file:s0:c38 net.circletech.cc However the /data/data/APPDIR/lib and everything in it is labeled with type system_data_file: # ls -lZ /data/data/net.circletech.cc/ drwxr-xr-x system system u:object_r:system_data_file:s0 lib > The fact that it is instead system_data_file suggests that you > installed > the app when not running SE Android and did not erase and reflash your > data partition. I have built the SEAndroid from sources as full_maguro-eng and I am running it on Galaxy Nexus. I cleared the cache and userdata before flashing the system. Getenforce says that the SELinux is running in permissive mode. I checked the /data/data directory before installation and the directory of our application is not there. Than I installed the application via "adb install" and the directory was created with the above mentioned labels. I also tried to download the apk file through the android web browser and installed it from Downloads app but it had the same effect. Btw. i randomly checked directories of some of the system apps and the lib subdirectory is always labeled with the system_data_file type, eg.: # ls -lZ /data/data/com.android.providers.contacts/ drwxrwx--x app_0 app_0 u:object_r:app_data_file:s0:c0 databases drwxrwx--x app_0 app_0 u:object_r:app_data_file:s0:c0 files drwxr-xr-x system system u:object_r:system_data_file:s0 lib drwxrwx--x app_0 app_0 u:object_r:app_data_file:s0:c0 shared_prefs Isn't it possible that during installation the lib directory is created somewhere else, somewhere where it would be labeled with system_data_file type and than moved to /data/data/APPDIR with its label intact? Or maybe there is something else I am missing? Thanks for your help, Michal Mašek -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
