Re: SE Android (Was: Re: Welcome to selinux)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Doing a restorecon might be the easiest solution as described by Stephen Smalley. However, every time
you reflash your phone with new images you'll have to do a restorecon on those apps. If you want to include
the gapps into your build harness you'll need to modify device specific makefiles to PRODUCT_COPY_FILES
from the gapps directory you have downloaded. Best bet is to look at a current working example under the 'vendor'
directory for the specific device your building. Then just create a vendor/google to mimic its structure. 


On Thu, Jul 12, 2012 at 7:06 AM, Alexandra Test <testalexandrainstitute@xxxxxxxxx> wrote:
I added the gapps afterwards


On Wed, Jul 11, 2012 at 2:50 PM, Robert Craig <robertpcraig@xxxxxxxxx> wrote:
Are you building your system.img with the gapps? Are you adding the gapps afterwards (after the biuld and flash)?
If afterwards, the denials specific to the gapps below would explain that. Try baking the gapps into the system
image before the system.img is built.

How to do that? I have a .zip file with some folder inside (system, optional and meta-data )

Thanks.

On Wed, Jul 11, 2012 at 6:39 AM, Alexandra Test <testalexandrainstitute@xxxxxxxxx> wrote:
Thanks for the suggestions, the phone is now working in permissive mode.
I would like to set the enforcing mode but I still have some residual denials.
The output of the
adb shell dmesg | grep avc 

<5>[84589.029418] type=1400 audit(1341913871.476:458): avc: denied { read } for pid=130 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2642 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
<5>[85517.133544] type=1400 audit(1341914799.582:459): avc: denied { open } for pid=10531 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file
<5>[85519.959869] type=1400 audit(1341914802.410:460): avc: denied { read } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[85519.960449] type=1400 audit(1341914802.410:461): avc: denied { open } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86670.591888] type=1400 audit(1341915953.036:462): avc: denied { read } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86670.592193] type=1400 audit(1341915953.036:463): avc: denied { open } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86701.210266] type=1400 audit(1341915983.653:464): avc: denied { read } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86701.210571] type=1400 audit(1341915983.653:465): avc: denied { open } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86701.669555] type=1400 audit(1341915984.114:466): avc: denied { read } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file
<5>[86701.669860] type=1400 audit(1341915984.114:467): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file
<5>[86701.670349] type=1400 audit(1341915984.114:468): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:qtaguid:s0 tclass=file
<5>[86703.330718] type=1400 audit(1341915985.778:469): avc: denied { open } for pid=10777 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file
<5>[86704.572326] type=1400 audit(1341915987.020:470): avc: denied { read } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86704.573242] type=1400 audit(1341915987.020:471): avc: denied { open } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86718.670806] type=1400 audit(1341916001.114:472): avc: denied { read } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86718.671112] type=1400 audit(1341916001.114:473): avc: denied { open } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86721.909545] type=1400 audit(1341916004.356:474): avc: denied { read } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86721.909851] type=1400 audit(1341916004.356:475): avc: denied { open } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file

Do I need to do something before changing the secure mode?

Thanks for your help


On Mon, Jul 9, 2012 at 10:48 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Mon, 2012-07-02 at 16:05 +0200, Alexandra Test wrote:

> I tried to install application from the google play website directly
> from the phone but it is not working.

Not sure what you mean by "not working" above.  You have to separately
install the gapps, but they work for us.  Enforcing or permissive?

> How to get the formal meaning of the files? I tried to look for it...

seapp_contexts is only "documented" by the inline comments at the
moment.  The SELinux policy language is documented in a variety of
places, including books (e.g. SELinux by Example, the SELinux Notebook),
wiki pages (e.g. http://selinuxproject.org/page/PolicyLanguage), and
technical reports (e.g.
http://www.nsa.gov/research/selinux/docs.shtml#tech).

> Yes, you are right, but I can't see any deny now... I only have to
> understand how to go on...

No avc messages in the output of adb shell dmesg or adb logcat?


--
Stephen Smalley
National Security Agency






[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux