Check the init.rc for these binaries and see whether seclabel is defined in
it or not
On Thursday, February 8, 2018 at 9:23:56 PM UTC+1, Eric Nelson wrote:
>
> I am porting Android 7.1 to our IMX53 product. I ran into a problem with
> SELinux that doesn't seem to make sense. The boot log looks like this:
>
> .
>
> .
>
> .
>
> [ 3.506650] Freeing unused kernel memory: 1024K
> [ 3.528875] init: init first stage started!
> [ 3.553382] SELinux: Permission validate_trans in class security not
> defined in policy.
> [ 3.562534] SELinux: Class cap_userns not defined in policy.
> [ 3.568418] SELinux: Class cap2_userns not defined in policy.
> [ 3.574269] SELinux: Class bpf not defined in policy.[ 3.579623] SELinux:
> the above unknown classes and permissions will be denied
> [ 3.701006] audit: type=1403 audit(3.689:2): policy loaded auid=4294967295
> ses=4294967295
> [ 3.712563] audit: type=1404 audit(3.699:3): enforcing=1 old_enforcing=0
> auid=4294967295 ses=4294967295
> [ 3.745760] init: (Initializing SELinux enforcing took 0.21s.)
> [ 3.766315] init: init second stage started!
> [ 3.792985] init: Running restorecon...
> [ 3.880962] init: waitpid failed: No child processes
> [ 3.887834] init: (Loading properties from /default.prop took 0.00s.)
> [ 3.903302] init: (Parsing /init.environ.rc took 0.00s.)
> [ 3.910929] init: (Parsing /init.usb.rc took 0.00s.)
> [ 3.918296] init: (Parsing init.rti.usb.rc took 0.00s.)
> [ 3.923605] init: (Parsing /init.rti.rc took 0.01s.)
> [ 3.931310] init: (Parsing /init.usb.configfs.rc took 0.00s.)
> [ 3.937856] init: (Parsing /init.zygote32.rc took 0.00s.)
> [ 3.962443] ueventd: ueventd started!
> [ 4.942899] ueventd: Coldboot took 0.97s.
> [ 5.078709] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data
> mode. Opts: (null)
> [ 5.139472] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data
> mode. Opts: errors=panic
> [ 5.182104] EXT4-fs (mmcblk0p4): mounted filesystem with ordered data
> mode. Opts: errors=panic
> [ 5.493959] audit: type=1400 audit(5.479:4): avc: denied { execute } for
> pid=110 comm="init" name="vdc" dev="mmcblk0p2" ino=654340
> scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
> permissive=0
> [ 5.593161] binder: 111:111 transaction failed 29189/-22, size 0-0 line
> 3004
> [ 5.607788] audit: type=1400 audit(5.599:5): avc: denied { execute } for
> pid=112 comm="init" name="sh" dev="mmcblk0p2" ino=654293
> scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
> permissive=0
> [ 6.663334] binder: 111:111 transaction failed 29189/-22, size 0-0 line
> 3004
> [ 7.670798] binder: 111:111 transaction failed 29189/-22, size 0-0 line
> 3004
> [ 8.678255] binder: 111:111 transaction failed 29189/-22, size 0-0 line
> 3004
> [ 9.685626] binder: 111:111 transaction failed 29189/-22, size 0-0 line
> 3004
>
> .
>
> .
>
> .
>
> As you can see "vdc", and "sh" seem to be missing a label for SELinux.
> However, I clearly see the label being set in android source under
> /system/sepolicy/file_contexts:
>
> /system/bin/sh -- u:object_r:shell_exec:s0
>
> /system/bin/vdc u:object_r:vdc_exec:s0
>
>
>
> Further, if I try to provide my own label for these same files in
> /device/rti/kx10/sepolicy/file_contexts, I get a compile errors:
>
> out/target/product/kx10/obj/ETC/file_contexts.bin_intermediates/file_contexts.concat.tmp:
>
> Multiple same specifications for /system/bin/sh.
>
> out/target/product/kx10/obj/ETC/file_contexts.bin_intermediates/file_contexts.concat.tmp:
>
> Multiple same specifications for /system/bin/vdc.
>
>
>
> So if sh & vdc have a label defined, why does the SELinux audit indicate
> these files are "unlabeled"???
>
>
>
> Because of this error I cannot get a shell started to allow me to use
> other debug tools (ex. logcat). Does anyone have any ideas, thoughts, or
> suggestions that might help me proceed??
>
>
>
> Thanks in advance,
>
--
--
unsubscribe: [email protected]
website: http://groups.google.com/group/android-porting
---
You received this message because you are subscribed to the Google Groups
"android-porting" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
