I dont see any denials being cuase be gapps so thats ok.
What version if SEAndroid are you running?
You can pipe your denial logs (dmesg) through a tool called
audit2allow to get a more concise reading. It often helps to make sens
of things
adb shell dmesg | audit2allow
It looks like some things are not getting labeled properly
#============= mediaserver ==============
allow mediaserver device:chr_file { read write ioctl open };
allow mediaserver system_data_file:dir { read open };
allow mediaserver system_data_file:file open;
We dont care about shell
#============= shell ==============
allow shell device:chr_file { read write getattr ioctl };
We may need to allow this in the policy...need to put more thought in it.
#============= system ==============
allow system proc:file write;
allow system rild:unix_stream_socket connectto;
Denials explained:
allow system proc:file write is from this denial:
<5>[ 24.782653] type=1400 audit(1344517139.820:6): avc: denied {
write } for pid=404 comm="LocationManager" name="mcspi1_cs3_ctrl"
dev=proc ino=4026532651 scontext=u:r:system:s0
tcontext=u:object_r:proc:s0 tclass=file
This should be fixed on tuna/maguro device...
allow system rild:unix_stream_socket connectto is from this denial
<5>[ 25.809204] type=1400 audit(1344517140.843:7): avc: denied {
connectto } for pid=460 comm="GpsLocationProv"
path=004D756C7469636C69656E74 scontext=u:r:system:s0
tcontext=u:r:rild:s0 tclass=unix_stream_socket
This should be fixed..
Media server denies
<5>[ 26.586181] type=1400 audit(1344517141.625:8): avc: denied {
read } for pid=175 comm=42696E646572205468726561642023
name="rproc_user" dev=tmpfs ino=2868 scontext=u:r:mediaserver:s0
tcontext=u:object_r:device:s0 tclass=chr_file
<5>[ 26.586364] type=1400 audit(1344517141.625:9): avc: denied {
open } for pid=175 comm=42696E646572205468726561642023
name="rproc_user" dev=tmpfs ino=2868 scontext=u:r:mediaserver:s0
tcontext=u:object_r:device:s0 tclass=chr_file
<5>[ 26.602386] type=1400 audit(1344517141.640:10): avc: denied {
write } for pid=175 comm=42696E646572205468726561642023
name="rpmsg-omx1" dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0
tcontext=u:object_r:device:s0 tclass=chr_file
<5>[ 26.602783] type=1400 audit(1344517141.640:11): avc: denied {
ioctl } for pid=175 comm=42696E646572205468726561642023
path="/dev/rpmsg-omx1" dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0
tcontext=u:object_r:device:s0 tclass=chr_file
The problem here comes from labeling:
/dev/rpmsg-omx1 is not labeled properly but should be, it was fixed in
external/sepolicy commit ee5f4005
Make sure your seandroid is up to date, I have a feeling you need to
update your local_manifest.xml file and do a new repo sync..
I am also forwarding this to the public mailing list, so others can
learn from this and answer problems before they arise. I hope this
helps, and for now on direct these types of questions back to the
mailing list to help others out.
Bill
On Thu, Aug 9, 2012 at 6:15 AM, Alexandra Test
<testalexandrainstitute@xxxxxxxxx> wrote:
> Hi William,
> I tried again and it did not work again.
> The reason why I installed from a gapp*.zip files is because it has all the
> dependencies verified; I tried before to install from the apk, extracted
> from the phone bu it did not work.
> I did the restorecon simply with this command:
> adb shell
> su
> mount -o rw,remount /dev/block/platform/omap/omap /system
> restorecon -R /system
> It does not work! how is it possible? the phone is still in permissive mode,
> I cannot change in enforcing mode
> The list of my denials:
> <5>[ 5.459838] type=1400 audit(1344517120.492:3): avc: denied { read
> write } for pid=129 comm="sh" name="ttyFIQ0" dev=tmpfs ino=2914
> scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
> <5>[ 5.537353] type=1400 audit(1344517120.570:4): avc: denied { getattr
> } for pid=129 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2914
> scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
> <5>[ 5.538055] type=1400 audit(1344517120.570:5): avc: denied { ioctl }
> for pid=129 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2914
> scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
> <5>[ 24.782653] type=1400 audit(1344517139.820:6): avc: denied { write }
> for pid=404 comm="LocationManager" name="mcspi1_cs3_ctrl" dev=proc
> ino=4026532651 scontext=u:r:system:s0 tcontext=u:object_r:proc:s0
> tclass=file
> <5>[ 25.809204] type=1400 audit(1344517140.843:7): avc: denied {
> connectto } for pid=460 comm="GpsLocationProv"
> path=004D756C7469636C69656E74 scontext=u:r:system:s0 tcontext=u:r:rild:s0
> tclass=unix_stream_socket
> <5>[ 26.586181] type=1400 audit(1344517141.625:8): avc: denied { read }
> for pid=175 comm=42696E646572205468726561642023 name="rproc_user" dev=tmpfs
> ino=2868 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0
> tclass=chr_file
> <5>[ 26.586364] type=1400 audit(1344517141.625:9): avc: denied { open }
> for pid=175 comm=42696E646572205468726561642023 name="rproc_user" dev=tmpfs
> ino=2868 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0
> tclass=chr_file
> <5>[ 26.602386] type=1400 audit(1344517141.640:10): avc: denied { write
> } for pid=175 comm=42696E646572205468726561642023 name="rpmsg-omx1"
> dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0
> tclass=chr_file
> <5>[ 26.602783] type=1400 audit(1344517141.640:11): avc: denied { ioctl
> } for pid=175 comm=42696E646572205468726561642023 path="/dev/rpmsg-omx1"
> dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0
> tclass=chr_file
> <5>[ 26.775054] type=1400 audit(1344517141.812:12): avc: denied { read }
> for pid=175 comm=42696E646572205468726561642023
> name="R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044" dev=mmcblk0p12
> ino=138460 scontext=u:r:mediaserver:s0
> tcontext=u:object_r:system_data_file:s0 tclass=dir
> <5>[ 26.775268] type=1400 audit(1344517141.812:13): avc: denied { open }
> for pid=175 comm=42696E646572205468726561642023
> name="R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044" dev=mmcblk0p12
> ino=138460 scontext=u:r:mediaserver:s0
> tcontext=u:object_r:system_data_file:s0 tclass=dir
> <5>[ 26.775695] type=1400 audit(1344517141.812:14): avc: denied { open }
> for pid=175 comm=42696E646572205468726561642023 name="calib.bin"
> dev=mmcblk0p12 ino=138461 scontext=u:r:mediaserver:s0
> tcontext=u:object_r:system_data_file:s0 tclass=file
>
>
> Thanks for your help
>
>
>
> On Tue, Aug 7, 2012 at 7:06 PM, William Roberts <bill.c.roberts@xxxxxxxxx>
> wrote:
>>
>> 1. The seapp_contexts, file_contexts, sepolicy.24 and
>> property_contexts are in the ramdisk for the rootfs, which is in
>> boot.img. When a device is running, you will find these files in '/'.
>> (ls / will show them)
>>
>> 2. You can push any of those files, or all to /system/data and then
>> setprop selinux.reload_policy 1. See the info here:
>> http://selinuxproject.org/page/SEAndroid#SE_Android_Policy
>>
>> 3. You can extract apk's in many ways, this blog has a few:
>>
>> http://mauweb.net/3.0/en/technology/17-android/100-icon-androidextracting-apk-files-from-your-android.html
>>
>> Bill
>>
>> On Tue, Aug 7, 2012 at 1:01 AM, Alexandra Test
>> <testalexandrainstitute@xxxxxxxxx> wrote:
>> > I installed the gapp (downloaded here
>> > https://faramir.eriador.org/r/gapps-ics-20120317-signed.zip) as an
>> > indipendent package and then I used restorecon.
>> >
>> > About the policy, I have two files in external/sepolicy/seapp_context
>> > and
>> > property_context
>> > Where can I find these files in the phone memory? do I need every time
>> > to
>> > modify the source files and then provide the system building?
>> > If I want to extract the gapp from the original build how can I do that?
>> >
>> > Thanks for your help
>> >
>> >
>> >
>> > On Mon, Aug 6, 2012 at 7:44 PM, William Roberts
>> > <bill.c.roberts@xxxxxxxxx>
>> > wrote:
>> >>
>> >> It should be working, as we wrote alot of the policy for that device
>> >> and didn't experience any denials. If your installing apps from
>> >> recovery (Like gapps), make sure you use the recovery.img that gets
>> >> built and not clock-work mod.
>> >>
>> >> On Mon, Aug 6, 2012 at 3:35 AM, Alexandra Test
>> >> <testalexandrainstitute@xxxxxxxxx> wrote:
>> >> > Hi Williams,
>> >> > sorry for the late reply, I was on vacation.
>> >> > I am using a Samsung Galaxy Nexus with the tuna master branch.
>> >> >
>> >> > Thanks for your help!
>> >> > Anna
>> >> >
>> >> >
>> >> > On Wed, Jul 18, 2012 at 7:31 PM, William Roberts
>> >> > <bill.c.roberts@xxxxxxxxx>
>> >> > wrote:
>> >> >>
>> >> >> You have a lot of denials. What device and branch of code are you
>> >> >> using?
>> >> >>
>> >> >> I might be able to help you get these fixed.
>> >> >>
>> >> >> On Wed, Jul 18, 2012 at 12:24 AM, Alexandra Test
>> >> >> <testalexandrainstitute@xxxxxxxxx> wrote:
>> >> >>>
>> >> >>> Yes, in the attached files you can see the denials.
>> >> >>>
>> >> >>> In permissive mode I can install everything.
>> >> >>>
>> >> >>> Any ideas?
>> >> >>>
>> >> >>> Il giorno 16/lug/2012 18:13, "William Roberts"
>> >> >>> <bill.c.roberts@xxxxxxxxx>
>> >> >>> ha scritto:
>> >> >>>
>> >> >>>> do have any denials? does installation work in permissive mode?
>> >> >>>>
>> >> >>>> On Jul 16, 2012 5:44 AM, "Alexandra Test"
>> >> >>>> <testalexandrainstitute@xxxxxxxxx> wrote:
>> >> >>>>>
>> >> >>>>> My phone is now is in enforcing mode but I can not install
>> >> >>>>> anything.
>> >> >>>>> I tried from google play but after the download, when it tries to
>> >> >>>>> install says:
>> >> >>>>> "the download url is not valid"
>> >> >>>>>
>> >> >>>>> Do I have to change the policies? I saw the app.te files in
>> >> >>>>> external/sepolicy in the build directory, but where can I fine
>> >> >>>>> the
>> >> >>>>> same file
>> >> >>>>> on the phone?
>> >> >>>>> Do I need to rebuild and reflash every time I change the
>> >> >>>>> policies?
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> On Mon, Jul 16, 2012 at 12:47 PM, Alexandra Test
>> >> >>>>> <testalexandrainstitute@xxxxxxxxx> wrote:
>> >> >>>>>>
>> >> >>>>>> it works, thank you! :-)
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>> On Sun, Jul 15, 2012 at 6:25 AM, Robert Craig
>> >> >>>>>> <robertpcraig@xxxxxxxxx>
>> >> >>>>>> wrote:
>> >> >>>>>>>
>> >> >>>>>>> On Fri, Jul 13, 2012 at 8:50 AM, Alexandra Test
>> >> >>>>>>> <testalexandrainstitute@xxxxxxxxx> wrote:
>> >> >>>>>>>
>> >> >>>>>>>>
>> >> >>>>>>>> I tried to investigate without success, so I decided to try to
>> >> >>>>>>>> use
>> >> >>>>>>>> the restorecon. is it needed to be root?
>> >> >>>>>>>> on which files do I need to use restorecon? how?
>> >> >>>>>>>>
>> >> >>>>>>>
>> >> >>>>>>> You'll not only have to be root, but you'll also need to
>> >> >>>>>>> remount
>> >> >>>>>>> your
>> >> >>>>>>> system partition (android mounts it read only).
>> >> >>>>>>> I would try:
>> >> >>>>>>> adb shell
>> >> >>>>>>> su
>> >> >>>>>>> mount -o rw,remount </dev/block path for your device> /system
>> >> >>>>>>> restorecon -R /system
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Respectfully,
>> >> >>
>> >> >> William C Roberts
>> >> >>
>> >> >>
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Respectfully,
>> >>
>> >> William C Roberts
>> >
>> >
>>
>>
>>
>> --
>> Respectfully,
>>
>> William C Roberts
>
>
--
Respectfully,
William C Roberts
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
