* Re: Welcome to selinux
[not found] ` <1340288275.4234.48.camel@moss-pluto.epoch.ncsc.mil>
@ 2012-06-29 9:59 ` Alexandra Test
2012-06-29 10:17 ` Alexandra Test
0 siblings, 1 reply; 24+ messages in thread
From: Alexandra Test @ 2012-06-29 9:59 UTC (permalink / raw)
To: Stephen Smalley, selinux
[-- Attachment #1: Type: text/plain, Size: 2161 bytes --]
I have a samsung galaxy nexus and I am using ubuntu 12.04...
Unfortunately I could't see any SeAndroid when I lunch the adb shell
getenforce, so I decided to try again.
this is my procedure:
- initialize repo with the master version
- add the master local_manifest.xml in the .repo folder
- sync
- build a modified kernel with the necessary support for SELinux
export PREFIX=/path/to/your/aospclone
cd $PREFIX/kernel/samsung
make ARCH=arm tuna_defconfig
make ARCH=arm CROSS_COMPILE=$PREFIX/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
- make HAVE_SELINUX=true
Now the device tries to boot but I can only see an horizontal line on the
screen.
However if I try to interrogate the device with the adb shell getenforce, I
can see that it is in a permissive mode.
What is wrong??
When I compiled AOSP the first time I had the same problem with the screen
and I solved with additional hardware-related proprietary libraries, that
are here
https://developers.google.com/android/nexus/drivers?hl=da#maguroimm76d
I used this one: Galaxy Nexus (GSM/HSPA+) binaries for Android 4.0.4
(IMM76D to IMM76L).
I also tried to add these libraries but it doesn't work yet!
Can anyone help me?
On Thu, Jun 21, 2012 at 4:17 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Thu, 2012-06-21 at 16:08 +0200, Alexandra Test wrote:
> > Hi,
> > I need a help but I don't know where to ask for it.
>
> seandroid@tycho.nsa.gov is our team mail alias, so you can use it for
> questions that you don't want to be public. selinux@tycho.nsa.gov is
> the public SELinux mailing list, so you can use it for questions that
> don't require privacy. When possible, use the public list so that
> others can benefit from the questions and answers.
>
> > Which kernel can I use for Galaxy Nexus and what are the commands to
> > execute?
>
> The omap kernel with the tuna_defconfig is the one to use for Galaxy
> Nexus. Commands to execute from the seandroid directory:
> cd kernel/omap
> make ARCH=arm tuna_defconfig
> make ARCH=arm
> CROSS_COMPILE=$PREFIX/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
>
>
> --
> Stephen Smalley
> National Security Agency
>
>
[-- Attachment #2: Type: text/html, Size: 4388 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: Welcome to selinux
2012-06-29 9:59 ` Welcome to selinux Alexandra Test
@ 2012-06-29 10:17 ` Alexandra Test
2012-06-29 13:59 ` Alexandra Test
0 siblings, 1 reply; 24+ messages in thread
From: Alexandra Test @ 2012-06-29 10:17 UTC (permalink / raw)
To: Stephen Smalley, selinux
[-- Attachment #1: Type: text/plain, Size: 2395 bytes --]
Now it works... I am going to the next step! :-)
On Fri, Jun 29, 2012 at 11:59 AM, Alexandra Test <
testalexandrainstitute@gmail.com> wrote:
> I have a samsung galaxy nexus and I am using ubuntu 12.04...
>
> Unfortunately I could't see any SeAndroid when I lunch the adb shell
> getenforce, so I decided to try again.
>
> this is my procedure:
> - initialize repo with the master version
> - add the master local_manifest.xml in the .repo folder
> - sync
> - build a modified kernel with the necessary support for SELinux
>
> export PREFIX=/path/to/your/aospclone
> cd $PREFIX/kernel/samsung
> make ARCH=arm tuna_defconfig
> make ARCH=arm CROSS_COMPILE=$PREFIX/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
>
> - make HAVE_SELINUX=true
>
> Now the device tries to boot but I can only see an horizontal line on the
> screen.
> However if I try to interrogate the device with the adb shell getenforce,
> I can see that it is in a permissive mode.
> What is wrong??
>
> When I compiled AOSP the first time I had the same problem with the screen
> and I solved with additional hardware-related proprietary libraries, that
> are here
> https://developers.google.com/android/nexus/drivers?hl=da#maguroimm76d
> I used this one: Galaxy Nexus (GSM/HSPA+) binaries for Android 4.0.4
> (IMM76D to IMM76L).
> I also tried to add these libraries but it doesn't work yet!
>
> Can anyone help me?
>
>
> On Thu, Jun 21, 2012 at 4:17 PM, Stephen Smalley <sds@tycho.nsa.gov>wrote:
>
>> On Thu, 2012-06-21 at 16:08 +0200, Alexandra Test wrote:
>> > Hi,
>> > I need a help but I don't know where to ask for it.
>>
>> seandroid@tycho.nsa.gov is our team mail alias, so you can use it for
>> questions that you don't want to be public. selinux@tycho.nsa.gov is
>> the public SELinux mailing list, so you can use it for questions that
>> don't require privacy. When possible, use the public list so that
>> others can benefit from the questions and answers.
>>
>> > Which kernel can I use for Galaxy Nexus and what are the commands to
>> > execute?
>>
>> The omap kernel with the tuna_defconfig is the one to use for Galaxy
>> Nexus. Commands to execute from the seandroid directory:
>> cd kernel/omap
>> make ARCH=arm tuna_defconfig
>> make ARCH=arm
>> CROSS_COMPILE=$PREFIX/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
>>
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
>
[-- Attachment #2: Type: text/html, Size: 4848 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: Welcome to selinux
2012-06-29 10:17 ` Alexandra Test
@ 2012-06-29 13:59 ` Alexandra Test
2012-06-29 14:19 ` Radzykewycz, T (Radzy)
2012-06-29 14:38 ` Stephen Smalley
0 siblings, 2 replies; 24+ messages in thread
From: Alexandra Test @ 2012-06-29 13:59 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 3034 bytes --]
Hi,
sorry for all the mails!
I installed SeAndroid but I have some problems.
- the camera is not working (is it normal?)
i would like to install other applications but I really didn't get how to
do that.
should I install the application and then define new policies?
How to define the policies?
then I notice that I have some residual denials to address in my policy.
I hope I will find a way and I am really sorry but I am a beginner!
Thanks in advance,
Alexandra
On Fri, Jun 29, 2012 at 12:17 PM, Alexandra Test <
testalexandrainstitute@gmail.com> wrote:
> Now it works... I am going to the next step! :-)
>
>
> On Fri, Jun 29, 2012 at 11:59 AM, Alexandra Test <
> testalexandrainstitute@gmail.com> wrote:
>
>> I have a samsung galaxy nexus and I am using ubuntu 12.04...
>>
>> Unfortunately I could't see any SeAndroid when I lunch the adb shell
>> getenforce, so I decided to try again.
>>
>> this is my procedure:
>> - initialize repo with the master version
>> - add the master local_manifest.xml in the .repo folder
>> - sync
>> - build a modified kernel with the necessary support for SELinux
>>
>> export PREFIX=/path/to/your/aospclone
>> cd $PREFIX/kernel/samsung
>> make ARCH=arm tuna_defconfig
>> make ARCH=arm CROSS_COMPILE=$PREFIX/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
>>
>> - make HAVE_SELINUX=true
>>
>> Now the device tries to boot but I can only see an horizontal line on the
>> screen.
>> However if I try to interrogate the device with the adb shell getenforce,
>> I can see that it is in a permissive mode.
>> What is wrong??
>>
>> When I compiled AOSP the first time I had the same problem with the
>> screen and I solved with additional hardware-related proprietary
>> libraries, that are here
>> https://developers.google.com/android/nexus/drivers?hl=da#maguroimm76d
>> I used this one: Galaxy Nexus (GSM/HSPA+) binaries for Android 4.0.4
>> (IMM76D to IMM76L).
>> I also tried to add these libraries but it doesn't work yet!
>>
>> Can anyone help me?
>>
>>
>> On Thu, Jun 21, 2012 at 4:17 PM, Stephen Smalley <sds@tycho.nsa.gov>wrote:
>>
>>> On Thu, 2012-06-21 at 16:08 +0200, Alexandra Test wrote:
>>> > Hi,
>>> > I need a help but I don't know where to ask for it.
>>>
>>> seandroid@tycho.nsa.gov is our team mail alias, so you can use it for
>>> questions that you don't want to be public. selinux@tycho.nsa.gov is
>>> the public SELinux mailing list, so you can use it for questions that
>>> don't require privacy. When possible, use the public list so that
>>> others can benefit from the questions and answers.
>>>
>>> > Which kernel can I use for Galaxy Nexus and what are the commands to
>>> > execute?
>>>
>>> The omap kernel with the tuna_defconfig is the one to use for Galaxy
>>> Nexus. Commands to execute from the seandroid directory:
>>> cd kernel/omap
>>> make ARCH=arm tuna_defconfig
>>> make ARCH=arm
>>> CROSS_COMPILE=$PREFIX/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
>>>
>>>
>>> --
>>> Stephen Smalley
>>> National Security Agency
>>>
>>>
>>
>
[-- Attachment #2: Type: text/html, Size: 5757 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* RE: Welcome to selinux
2012-06-29 13:59 ` Alexandra Test
@ 2012-06-29 14:19 ` Radzykewycz, T (Radzy)
2012-06-29 14:38 ` Stephen Smalley
1 sibling, 0 replies; 24+ messages in thread
From: Radzykewycz, T (Radzy) @ 2012-06-29 14:19 UTC (permalink / raw)
To: Alexandra Test, selinux
Hi Alexandra
The camera uses proprietary components, which are not available in source form from the standard repo. You need to install the binary proprietary components befroe building. There are several other things, which also need proprietary binary components.
You can download and use the proprietary components from Google, but they are not complete. These are at https://developers.google.com/android/nexus/drivers . I'm not sure that the camera itself is included in these files.
Another option: look on the WEB for instructions about how to fetch the proprietary bits from the device running the stock images. This can be more complete that the Google files.
Enjoy!
-- radzy
________________________________________
From: owner-selinux@tycho.nsa.gov [owner-selinux@tycho.nsa.gov] on behalf of Alexandra Test [testalexandrainstitute@gmail.com]
Sent: Friday, June 29, 2012 6:59 AM
To: selinux@tycho.nsa.gov
Subject: Re: Welcome to selinux
Hi,
sorry for all the mails!
I installed SeAndroid but I have some problems.
- the camera is not working (is it normal?)
i would like to install other applications but I really didn't get how to do that.
should I install the application and then define new policies?
How to define the policies?
then I notice that I have some residual denials to address in my policy.
I hope I will find a way and I am really sorry but I am a beginner!
Thanks in advance,
Alexandra
On Fri, Jun 29, 2012 at 12:17 PM, Alexandra Test <testalexandrainstitute@gmail.com<mailto:testalexandrainstitute@gmail.com>> wrote:
Now it works... I am going to the next step! :-)
On Fri, Jun 29, 2012 at 11:59 AM, Alexandra Test <testalexandrainstitute@gmail.com<mailto:testalexandrainstitute@gmail.com>> wrote:
I have a samsung galaxy nexus and I am using ubuntu 12.04...
Unfortunately I could't see any SeAndroid when I lunch the adb shell getenforce, so I decided to try again.
this is my procedure:
- initialize repo with the master version
- add the master local_manifest.xml in the .repo folder
- sync
- build a modified kernel with the necessary support for SELinux
export PREFIX=/path/to/your/aospclone
cd $PREFIX/kernel/samsung
make ARCH=arm tuna_defconfig
make ARCH=arm CROSS_COMPILE=$PREFIX/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
- make HAVE_SELINUX=true
Now the device tries to boot but I can only see an horizontal line on the screen.
However if I try to interrogate the device with the adb shell getenforce, I can see that it is in a permissive mode.
What is wrong??
When I compiled AOSP the first time I had the same problem with the screen and I solved with additional hardware-related proprietary libraries, that are here
https://developers.google.com/android/nexus/drivers?hl=da#maguroimm76d
I used this one: Galaxy Nexus (GSM/HSPA+) binaries for Android 4.0.4 (IMM76D to IMM76L).
I also tried to add these libraries but it doesn't work yet!
Can anyone help me?
On Thu, Jun 21, 2012 at 4:17 PM, Stephen Smalley <sds@tycho.nsa.gov<mailto:sds@tycho.nsa.gov>> wrote:
On Thu, 2012-06-21 at 16:08 +0200, Alexandra Test wrote:
> Hi,
> I need a help but I don't know where to ask for it.
seandroid@tycho.nsa.gov<mailto:seandroid@tycho.nsa.gov> is our team mail alias, so you can use it for
questions that you don't want to be public. selinux@tycho.nsa.gov<mailto:selinux@tycho.nsa.gov> is
the public SELinux mailing list, so you can use it for questions that
don't require privacy. When possible, use the public list so that
others can benefit from the questions and answers.
> Which kernel can I use for Galaxy Nexus and what are the commands to
> execute?
The omap kernel with the tuna_defconfig is the one to use for Galaxy
Nexus. Commands to execute from the seandroid directory:
cd kernel/omap
make ARCH=arm tuna_defconfig
make ARCH=arm CROSS_COMPILE=$PREFIX/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: Welcome to selinux
2012-06-29 13:59 ` Alexandra Test
2012-06-29 14:19 ` Radzykewycz, T (Radzy)
@ 2012-06-29 14:38 ` Stephen Smalley
2012-07-02 14:05 ` Alexandra Test
1 sibling, 1 reply; 24+ messages in thread
From: Stephen Smalley @ 2012-06-29 14:38 UTC (permalink / raw)
To: Alexandra Test; +Cc: selinux
On Fri, 2012-06-29 at 15:59 +0200, Alexandra Test wrote:
> Hi,
> sorry for all the mails!
> I installed SeAndroid but I have some problems.
> - the camera is not working (is it normal?)
That's not SE Android related - it is a general AOSP issue; see
discussions on android-building. The extract-files.sh script from the
per-device directory may help you.
> i would like to install other applications but I really didn't get how
> to do that.
> should I install the application and then define new policies?
Yes, although you shouldn't need a new policy for each app; policy is
written in terms of types (equivalence classes).
> How to define the policies?
If using the middleware MAC support, you would amend the
external/mac-policy/mac_permissions.xml configuration. For the SELinux
policy, you would possibly amend external/sepolicy/seapp_contexts if you
want to label the app differently and you might amend the rules in
external/sepolicy/app.te.
> then I notice that I have some residual denials to address in my
> policy.
> I hope I will find a way and I am really sorry but I am a beginner!
Best thing to do is to post the denials and let people help you
understand what they mean and how to start addressing them. Once you've
done it for a few denials, you'll pick it up.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: Welcome to selinux
2012-06-29 14:38 ` Stephen Smalley
@ 2012-07-02 14:05 ` Alexandra Test
2012-07-09 20:48 ` SE Android (Was: Re: Welcome to selinux) Stephen Smalley
0 siblings, 1 reply; 24+ messages in thread
From: Alexandra Test @ 2012-07-02 14:05 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 2045 bytes --]
Thank you very much to all of you!
On Fri, Jun 29, 2012 at 4:38 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Fri, 2012-06-29 at 15:59 +0200, Alexandra Test wrote:
> > Hi,
> > sorry for all the mails!
> > I installed SeAndroid but I have some problems.
> > - the camera is not working (is it normal?)
>
> That's not SE Android related - it is a general AOSP issue; see
> discussions on android-building. The extract-files.sh script from the
> per-device directory may help you.
>
>
I extracted old file from the phone before building and now it is working.
> > i would like to install other applications but I really didn't get how
> > to do that.
> > should I install the application and then define new policies?
>
> Yes, although you shouldn't need a new policy for each app; policy is
> written in terms of types (equivalence classes).
>
I tried to install application from the google play website directly from
the phone but it is not working.
So I installed directly from the apk... some of them are working, others
are not... but how to find legitimate apk?
> How to define the policies?
If using the middleware MAC support, you would amend the
> external/mac-policy/mac_permissions.xml configuration.
I am not using the MAC support.
> For the SELinux
> policy, you would possibly amend external/sepolicy/seapp_contexts if you
> want to label the app differently and you might amend the rules in
> external/sepolicy/app.te.
How to get the formal meaning of the files? I tried to look for it...
> > then I notice that I have some residual denials to address in my
> > policy.
> > I hope I will find a way and I am really sorry but I am a beginner!
>
> Best thing to do is to post the denials and let people help you
> understand what they mean and how to start addressing them. Once you've
> done it for a few denials, you'll pick it up.
>
Yes, you are right, but I can't see any deny now... I only have to
understand how to go on...
>
>
--
> Stephen Smalley
> National Security Agency
>
> Thank you,
Alexandra
[-- Attachment #2: Type: text/html, Size: 3623 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* SE Android (Was: Re: Welcome to selinux)
2012-07-02 14:05 ` Alexandra Test
@ 2012-07-09 20:48 ` Stephen Smalley
2012-07-11 10:39 ` Alexandra Test
0 siblings, 1 reply; 24+ messages in thread
From: Stephen Smalley @ 2012-07-09 20:48 UTC (permalink / raw)
To: Alexandra Test; +Cc: selinux
On Mon, 2012-07-02 at 16:05 +0200, Alexandra Test wrote:
> I tried to install application from the google play website directly
> from the phone but it is not working.
Not sure what you mean by "not working" above. You have to separately
install the gapps, but they work for us. Enforcing or permissive?
> How to get the formal meaning of the files? I tried to look for it...
seapp_contexts is only "documented" by the inline comments at the
moment. The SELinux policy language is documented in a variety of
places, including books (e.g. SELinux by Example, the SELinux Notebook),
wiki pages (e.g. http://selinuxproject.org/page/PolicyLanguage), and
technical reports (e.g.
http://www.nsa.gov/research/selinux/docs.shtml#tech).
> Yes, you are right, but I can't see any deny now... I only have to
> understand how to go on...
No avc messages in the output of adb shell dmesg or adb logcat?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-07-09 20:48 ` SE Android (Was: Re: Welcome to selinux) Stephen Smalley
@ 2012-07-11 10:39 ` Alexandra Test
2012-07-11 12:50 ` Robert Craig
2012-07-11 12:56 ` Stephen Smalley
0 siblings, 2 replies; 24+ messages in thread
From: Alexandra Test @ 2012-07-11 10:39 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 5584 bytes --]
Thanks for the suggestions, the phone is now working in permissive mode.
I would like to set the enforcing mode but I still have some residual
denials.
The output of the
adb shell dmesg | grep avc
<5>[84589.029418] type=1400 audit(1341913871.476:458): avc: denied {
read } for pid=130 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2642
scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
<5>[85517.133544] type=1400 audit(1341914799.582:459): avc: denied {
open } for pid=10531 comm="SyncAdapterThre" name="ctrl" dev=proc
ino=4026533139 scontext=u:r:trusted_app:s0:c46
tcontext=u:object_r:qtaguid:s0 tclass=file
<5>[85519.959869] type=1400 audit(1341914802.410:460): avc: denied {
read } for pid=338 comm="ndroid.systemui" name="Gmail.apk"
dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0
tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[85519.960449] type=1400 audit(1341914802.410:461): avc: denied {
open } for pid=338 comm="ndroid.systemui" name="Gmail.apk"
dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0
tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86670.591888] type=1400 audit(1341915953.036:462): avc: denied {
read } for pid=10727 comm="id.partnersetup"
name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971
scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0
tclass=file
<5>[86670.592193] type=1400 audit(1341915953.036:463): avc: denied {
open } for pid=10727 comm="id.partnersetup"
name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971
scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0
tclass=file
<5>[86701.210266] type=1400 audit(1341915983.653:464): avc: denied {
read } for pid=10754 comm="apters.calendar"
name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967
scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0
tclass=file
<5>[86701.210571] type=1400 audit(1341915983.653:465): avc: denied {
open } for pid=10754 comm="apters.calendar"
name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967
scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0
tclass=file
<5>[86701.669555] type=1400 audit(1341915984.114:466): avc: denied {
read } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid"
dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50
tcontext=u:object_r:device:s0 tclass=chr_file
<5>[86701.669860] type=1400 audit(1341915984.114:467): avc: denied {
open } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid"
dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50
tcontext=u:object_r:device:s0 tclass=chr_file
<5>[86701.670349] type=1400 audit(1341915984.114:468): avc: denied {
open } for pid=10770 comm="SyncAdapterThre" name="ctrl" dev=proc
ino=4026533139 scontext=u:r:trusted_app:s0:c50
tcontext=u:object_r:qtaguid:s0 tclass=file
<5>[86703.330718] type=1400 audit(1341915985.778:469): avc: denied {
open } for pid=10777 comm="SyncAdapterThre" name="ctrl" dev=proc
ino=4026533139 scontext=u:r:trusted_app:s0:c46
tcontext=u:object_r:qtaguid:s0 tclass=file
<5>[86704.572326] type=1400 audit(1341915987.020:470): avc: denied {
read } for pid=10781 comm="e.process.gapps"
name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973
scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0
tclass=file
<5>[86704.573242] type=1400 audit(1341915987.020:471): avc: denied {
open } for pid=10781 comm="e.process.gapps"
name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973
scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0
tclass=file
<5>[86718.670806] type=1400 audit(1341916001.114:472): avc: denied {
read } for pid=10820 comm="le.android.talk" name="Talk.apk"
dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59
tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86718.671112] type=1400 audit(1341916001.114:473): avc: denied {
open } for pid=10820 comm="le.android.talk" name="Talk.apk"
dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59
tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86721.909545] type=1400 audit(1341916004.356:474): avc: denied {
read } for pid=10863 comm="ApplicationsPro" name="Gmail.apk"
dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0
tcontext=u:object_r:unlabeled:s0 tclass=file
<5>[86721.909851] type=1400 audit(1341916004.356:475): avc: denied {
open } for pid=10863 comm="ApplicationsPro" name="Gmail.apk"
dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0
tcontext=u:object_r:unlabeled:s0 tclass=file
Do I need to do something before changing the secure mode?
Thanks for your help
On Mon, Jul 9, 2012 at 10:48 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Mon, 2012-07-02 at 16:05 +0200, Alexandra Test wrote:
>
> > I tried to install application from the google play website directly
> > from the phone but it is not working.
>
> Not sure what you mean by "not working" above. You have to separately
> install the gapps, but they work for us. Enforcing or permissive?
>
> > How to get the formal meaning of the files? I tried to look for it...
>
> seapp_contexts is only "documented" by the inline comments at the
> moment. The SELinux policy language is documented in a variety of
> places, including books (e.g. SELinux by Example, the SELinux Notebook),
> wiki pages (e.g. http://selinuxproject.org/page/PolicyLanguage), and
> technical reports (e.g.
> http://www.nsa.gov/research/selinux/docs.shtml#tech).
>
> > Yes, you are right, but I can't see any deny now... I only have to
> > understand how to go on...
>
> No avc messages in the output of adb shell dmesg or adb logcat?
>
>
> --
> Stephen Smalley
> National Security Agency
>
>
[-- Attachment #2: Type: text/html, Size: 7003 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-07-11 10:39 ` Alexandra Test
@ 2012-07-11 12:50 ` Robert Craig
2012-07-12 11:06 ` Alexandra Test
2012-07-11 12:56 ` Stephen Smalley
1 sibling, 1 reply; 24+ messages in thread
From: Robert Craig @ 2012-07-11 12:50 UTC (permalink / raw)
To: Alexandra Test; +Cc: Stephen Smalley, selinux
[-- Attachment #1: Type: text/plain, Size: 6065 bytes --]
Are you building your system.img with the gapps? Are you adding the gapps
afterwards (after the biuld and flash)?
If afterwards, the denials specific to the gapps below would explain that.
Try baking the gapps into the system
image before the system.img is built.
On Wed, Jul 11, 2012 at 6:39 AM, Alexandra Test <
testalexandrainstitute@gmail.com> wrote:
> Thanks for the suggestions, the phone is now working in permissive mode.
> I would like to set the enforcing mode but I still have some residual
> denials.
> The output of the
>
> adb shell dmesg | grep avc
>
> <5>[84589.029418] type=1400 audit(1341913871.476:458): avc: denied { read } for pid=130 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2642 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
>
> <5>[85517.133544] type=1400 audit(1341914799.582:459): avc: denied { open } for pid=10531 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file
>
> <5>[85519.959869] type=1400 audit(1341914802.410:460): avc: denied { read } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[85519.960449] type=1400 audit(1341914802.410:461): avc: denied { open } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86670.591888] type=1400 audit(1341915953.036:462): avc: denied { read } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86670.592193] type=1400 audit(1341915953.036:463): avc: denied { open } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86701.210266] type=1400 audit(1341915983.653:464): avc: denied { read } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86701.210571] type=1400 audit(1341915983.653:465): avc: denied { open } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86701.669555] type=1400 audit(1341915984.114:466): avc: denied { read } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file
>
> <5>[86701.669860] type=1400 audit(1341915984.114:467): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file
>
> <5>[86701.670349] type=1400 audit(1341915984.114:468): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:qtaguid:s0 tclass=file
>
> <5>[86703.330718] type=1400 audit(1341915985.778:469): avc: denied { open } for pid=10777 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file
>
> <5>[86704.572326] type=1400 audit(1341915987.020:470): avc: denied { read } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86704.573242] type=1400 audit(1341915987.020:471): avc: denied { open } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86718.670806] type=1400 audit(1341916001.114:472): avc: denied { read } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86718.671112] type=1400 audit(1341916001.114:473): avc: denied { open } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86721.909545] type=1400 audit(1341916004.356:474): avc: denied { read } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86721.909851] type=1400 audit(1341916004.356:475): avc: denied { open } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> Do I need to do something before changing the secure mode?
>
> Thanks for your help
>
>
> On Mon, Jul 9, 2012 at 10:48 PM, Stephen Smalley <sds@tycho.nsa.gov>wrote:
>
>> On Mon, 2012-07-02 at 16:05 +0200, Alexandra Test wrote:
>>
>> > I tried to install application from the google play website directly
>> > from the phone but it is not working.
>>
>> Not sure what you mean by "not working" above. You have to separately
>> install the gapps, but they work for us. Enforcing or permissive?
>>
>> > How to get the formal meaning of the files? I tried to look for it...
>>
>> seapp_contexts is only "documented" by the inline comments at the
>> moment. The SELinux policy language is documented in a variety of
>> places, including books (e.g. SELinux by Example, the SELinux Notebook),
>> wiki pages (e.g. http://selinuxproject.org/page/PolicyLanguage), and
>> technical reports (e.g.
>> http://www.nsa.gov/research/selinux/docs.shtml#tech).
>>
>> > Yes, you are right, but I can't see any deny now... I only have to
>> > understand how to go on...
>>
>> No avc messages in the output of adb shell dmesg or adb logcat?
>>
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
>
[-- Attachment #2: Type: text/html, Size: 7951 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-07-11 10:39 ` Alexandra Test
2012-07-11 12:50 ` Robert Craig
@ 2012-07-11 12:56 ` Stephen Smalley
1 sibling, 0 replies; 24+ messages in thread
From: Stephen Smalley @ 2012-07-11 12:56 UTC (permalink / raw)
To: Alexandra Test; +Cc: selinux
On Wed, 2012-07-11 at 12:39 +0200, Alexandra Test wrote:
> Thanks for the suggestions, the phone is now working in permissive
> mode.
> I would like to set the enforcing mode but I still have some residual
> denials.
> The output of the
> adb shell dmesg | grep avc
>
> <5>[84589.029418] type=1400 audit(1341913871.476:458): avc: denied { read } for pid=130 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2642 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
>
> <5>[85517.133544] type=1400 audit(1341914799.582:459): avc: denied { open } for pid=10531 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file
>
> <5>[85519.959869] type=1400 audit(1341914802.410:460): avc: denied { read } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[85519.960449] type=1400 audit(1341914802.410:461): avc: denied { open } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86670.591888] type=1400 audit(1341915953.036:462): avc: denied { read } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86670.592193] type=1400 audit(1341915953.036:463): avc: denied { open } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86701.210266] type=1400 audit(1341915983.653:464): avc: denied { read } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86701.210571] type=1400 audit(1341915983.653:465): avc: denied { open } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86701.669555] type=1400 audit(1341915984.114:466): avc: denied { read } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file
>
> <5>[86701.669860] type=1400 audit(1341915984.114:467): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file
>
> <5>[86701.670349] type=1400 audit(1341915984.114:468): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:qtaguid:s0 tclass=file
>
> <5>[86703.330718] type=1400 audit(1341915985.778:469): avc: denied { open } for pid=10777 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file
>
> <5>[86704.572326] type=1400 audit(1341915987.020:470): avc: denied { read } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86704.573242] type=1400 audit(1341915987.020:471): avc: denied { open } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86718.670806] type=1400 audit(1341916001.114:472): avc: denied { read } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86718.671112] type=1400 audit(1341916001.114:473): avc: denied { open } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86721.909545] type=1400 audit(1341916004.356:474): avc: denied { read } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> <5>[86721.909851] type=1400 audit(1341916004.356:475): avc: denied { open } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file
>
>
> Do I need to do something before changing the secure mode?
Yes, you need to work through those denials and resolve them by:
- Labeling unlabeled files on your device via restorecon,
- Labeling device nodes that are left in the "device" type with a more
specific type to permit access by adding entries to file_contexts or the
device/<vendor>/<board>/sepolicy.fc file.
- When appropriate, adding allow rules to the .te files in sepolicy or
to a device/<vendor>/<board>/sepolicy.te file to permit the access.
You can use audit2allow as described on the wiki to generate raw allow
rules, but often you will want to fix the labels rather than allow the
permission on the existing types. And when you add allow rules, you
shouldn't just add the ones emitted by audit2allow but should instead
use them as a guide and seek to generalize them using the macros defined
in *_macros. Look at the existing .te files for examples.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-07-11 12:50 ` Robert Craig
@ 2012-07-12 11:06 ` Alexandra Test
2012-07-12 11:35 ` Robert Craig
0 siblings, 1 reply; 24+ messages in thread
From: Alexandra Test @ 2012-07-12 11:06 UTC (permalink / raw)
To: Robert Craig; +Cc: Stephen Smalley, selinux
[-- Attachment #1: Type: text/plain, Size: 6432 bytes --]
I added the gapps afterwards
On Wed, Jul 11, 2012 at 2:50 PM, Robert Craig <robertpcraig@gmail.com>wrote:
> Are you building your system.img with the gapps? Are you adding the gapps
> afterwards (after the biuld and flash)?
> If afterwards, the denials specific to the gapps below would explain that.
> Try baking the gapps into the system
> image before the system.img is built.
>
How to do that? I have a .zip file with some folder inside (system,
optional and meta-data )
Thanks.
>
> On Wed, Jul 11, 2012 at 6:39 AM, Alexandra Test <
> testalexandrainstitute@gmail.com> wrote:
>
>> Thanks for the suggestions, the phone is now working in permissive mode.
>> I would like to set the enforcing mode but I still have some residual
>> denials.
>> The output of the
>>
>> adb shell dmesg | grep avc
>>
>> <5>[84589.029418] type=1400 audit(1341913871.476:458): avc: denied { read } for pid=130 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2642 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
>>
>>
>> <5>[85517.133544] type=1400 audit(1341914799.582:459): avc: denied { open } for pid=10531 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file
>>
>>
>> <5>[85519.959869] type=1400 audit(1341914802.410:460): avc: denied { read } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>>
>>
>> <5>[85519.960449] type=1400 audit(1341914802.410:461): avc: denied { open } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>>
>>
>> <5>[86670.591888] type=1400 audit(1341915953.036:462): avc: denied { read } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file
>>
>>
>> <5>[86670.592193] type=1400 audit(1341915953.036:463): avc: denied { open } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file
>>
>>
>> <5>[86701.210266] type=1400 audit(1341915983.653:464): avc: denied { read } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file
>>
>>
>> <5>[86701.210571] type=1400 audit(1341915983.653:465): avc: denied { open } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file
>>
>>
>> <5>[86701.669555] type=1400 audit(1341915984.114:466): avc: denied { read } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file
>>
>>
>> <5>[86701.669860] type=1400 audit(1341915984.114:467): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file
>>
>>
>> <5>[86701.670349] type=1400 audit(1341915984.114:468): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:qtaguid:s0 tclass=file
>>
>>
>> <5>[86703.330718] type=1400 audit(1341915985.778:469): avc: denied { open } for pid=10777 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file
>>
>>
>> <5>[86704.572326] type=1400 audit(1341915987.020:470): avc: denied { read } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file
>>
>>
>> <5>[86704.573242] type=1400 audit(1341915987.020:471): avc: denied { open } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file
>>
>>
>> <5>[86718.670806] type=1400 audit(1341916001.114:472): avc: denied { read } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file
>>
>>
>> <5>[86718.671112] type=1400 audit(1341916001.114:473): avc: denied { open } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file
>>
>>
>> <5>[86721.909545] type=1400 audit(1341916004.356:474): avc: denied { read } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file
>>
>>
>> <5>[86721.909851] type=1400 audit(1341916004.356:475): avc: denied { open } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file
>>
>>
>> Do I need to do something before changing the secure mode?
>>
>>
>> Thanks for your help
>>
>>
>> On Mon, Jul 9, 2012 at 10:48 PM, Stephen Smalley <sds@tycho.nsa.gov>wrote:
>>
>>> On Mon, 2012-07-02 at 16:05 +0200, Alexandra Test wrote:
>>>
>>> > I tried to install application from the google play website directly
>>> > from the phone but it is not working.
>>>
>>> Not sure what you mean by "not working" above. You have to separately
>>> install the gapps, but they work for us. Enforcing or permissive?
>>>
>>> > How to get the formal meaning of the files? I tried to look for it...
>>>
>>> seapp_contexts is only "documented" by the inline comments at the
>>> moment. The SELinux policy language is documented in a variety of
>>> places, including books (e.g. SELinux by Example, the SELinux Notebook),
>>> wiki pages (e.g. http://selinuxproject.org/page/PolicyLanguage), and
>>> technical reports (e.g.
>>> http://www.nsa.gov/research/selinux/docs.shtml#tech).
>>>
>>> > Yes, you are right, but I can't see any deny now... I only have to
>>> > understand how to go on...
>>>
>>> No avc messages in the output of adb shell dmesg or adb logcat?
>>>
>>>
>>> --
>>> Stephen Smalley
>>> National Security Agency
>>>
>>>
>>
>
[-- Attachment #2: Type: text/html, Size: 8626 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-07-12 11:06 ` Alexandra Test
@ 2012-07-12 11:35 ` Robert Craig
2012-07-13 12:50 ` Alexandra Test
0 siblings, 1 reply; 24+ messages in thread
From: Robert Craig @ 2012-07-12 11:35 UTC (permalink / raw)
To: Alexandra Test; +Cc: Stephen Smalley, selinux
[-- Attachment #1: Type: text/plain, Size: 7263 bytes --]
Doing a restorecon might be the easiest solution as described by Stephen
Smalley. However, every time
you reflash your phone with new images you'll have to do a restorecon on
those apps. If you want to include
the gapps into your build harness you'll need to modify device specific
makefiles to PRODUCT_COPY_FILES
from the gapps directory you have downloaded. Best bet is to look at a
current working example under the 'vendor'
directory for the specific device your building. Then just create a
vendor/google to mimic its structure.
On Thu, Jul 12, 2012 at 7:06 AM, Alexandra Test <
testalexandrainstitute@gmail.com> wrote:
> I added the gapps afterwards
>
>
> On Wed, Jul 11, 2012 at 2:50 PM, Robert Craig <robertpcraig@gmail.com>wrote:
>
>> Are you building your system.img with the gapps? Are you adding the gapps
>> afterwards (after the biuld and flash)?
>> If afterwards, the denials specific to the gapps below would explain
>> that. Try baking the gapps into the system
>> image before the system.img is built.
>>
>
> How to do that? I have a .zip file with some folder inside (system,
> optional and meta-data )
>
> Thanks.
>
>>
>> On Wed, Jul 11, 2012 at 6:39 AM, Alexandra Test <
>> testalexandrainstitute@gmail.com> wrote:
>>
>>> Thanks for the suggestions, the phone is now working in permissive mode.
>>> I would like to set the enforcing mode but I still have some residual
>>> denials.
>>> The output of the
>>>
>>> adb shell dmesg | grep avc
>>>
>>> <5>[84589.029418] type=1400 audit(1341913871.476:458): avc: denied { read } for pid=130 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2642 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
>>>
>>>
>>>
>>> <5>[85517.133544] type=1400 audit(1341914799.582:459): avc: denied { open } for pid=10531 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file
>>>
>>>
>>>
>>> <5>[85519.959869] type=1400 audit(1341914802.410:460): avc: denied { read } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>
>>>
>>>
>>> <5>[85519.960449] type=1400 audit(1341914802.410:461): avc: denied { open } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>
>>>
>>>
>>> <5>[86670.591888] type=1400 audit(1341915953.036:462): avc: denied { read } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>
>>>
>>>
>>> <5>[86670.592193] type=1400 audit(1341915953.036:463): avc: denied { open } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>
>>>
>>>
>>> <5>[86701.210266] type=1400 audit(1341915983.653:464): avc: denied { read } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>
>>>
>>>
>>> <5>[86701.210571] type=1400 audit(1341915983.653:465): avc: denied { open } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>
>>>
>>>
>>> <5>[86701.669555] type=1400 audit(1341915984.114:466): avc: denied { read } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file
>>>
>>>
>>>
>>> <5>[86701.669860] type=1400 audit(1341915984.114:467): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file
>>>
>>>
>>>
>>> <5>[86701.670349] type=1400 audit(1341915984.114:468): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:qtaguid:s0 tclass=file
>>>
>>>
>>>
>>> <5>[86703.330718] type=1400 audit(1341915985.778:469): avc: denied { open } for pid=10777 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file
>>>
>>>
>>>
>>> <5>[86704.572326] type=1400 audit(1341915987.020:470): avc: denied { read } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>
>>>
>>>
>>> <5>[86704.573242] type=1400 audit(1341915987.020:471): avc: denied { open } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>
>>>
>>>
>>> <5>[86718.670806] type=1400 audit(1341916001.114:472): avc: denied { read } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>
>>>
>>>
>>> <5>[86718.671112] type=1400 audit(1341916001.114:473): avc: denied { open } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>
>>>
>>>
>>> <5>[86721.909545] type=1400 audit(1341916004.356:474): avc: denied { read } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>
>>>
>>>
>>> <5>[86721.909851] type=1400 audit(1341916004.356:475): avc: denied { open } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>
>>>
>>>
>>> Do I need to do something before changing the secure mode?
>>>
>>>
>>>
>>> Thanks for your help
>>>
>>>
>>> On Mon, Jul 9, 2012 at 10:48 PM, Stephen Smalley <sds@tycho.nsa.gov>wrote:
>>>
>>>> On Mon, 2012-07-02 at 16:05 +0200, Alexandra Test wrote:
>>>>
>>>> > I tried to install application from the google play website directly
>>>> > from the phone but it is not working.
>>>>
>>>> Not sure what you mean by "not working" above. You have to separately
>>>> install the gapps, but they work for us. Enforcing or permissive?
>>>>
>>>> > How to get the formal meaning of the files? I tried to look for it...
>>>>
>>>> seapp_contexts is only "documented" by the inline comments at the
>>>> moment. The SELinux policy language is documented in a variety of
>>>> places, including books (e.g. SELinux by Example, the SELinux Notebook),
>>>> wiki pages (e.g. http://selinuxproject.org/page/PolicyLanguage), and
>>>> technical reports (e.g.
>>>> http://www.nsa.gov/research/selinux/docs.shtml#tech).
>>>>
>>>> > Yes, you are right, but I can't see any deny now... I only have to
>>>> > understand how to go on...
>>>>
>>>> No avc messages in the output of adb shell dmesg or adb logcat?
>>>>
>>>>
>>>> --
>>>> Stephen Smalley
>>>> National Security Agency
>>>>
>>>>
>>>
>>
>
[-- Attachment #2: Type: text/html, Size: 9668 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-07-12 11:35 ` Robert Craig
@ 2012-07-13 12:50 ` Alexandra Test
2012-07-15 4:25 ` Robert Craig
0 siblings, 1 reply; 24+ messages in thread
From: Alexandra Test @ 2012-07-13 12:50 UTC (permalink / raw)
To: Robert Craig; +Cc: Stephen Smalley, selinux
[-- Attachment #1: Type: text/plain, Size: 8303 bytes --]
I tried to build with the gapps, I created a folder vendor/google and tried
to reproduce the same order of the vendor/samsung/ folder.
The problem is that when I try to build it says:
"build/core/product_config.mk:195: *** device/samsung/maguro/full_maguro.mk:
malformed COPY_FILE "vendor/google/maguro/proprietary/". Stop.
I tried to investigate without success, so I decided to try to use the
restorecon. is it needed to be root?
on which files do I need to use restorecon? how?
Thanks
On Thu, Jul 12, 2012 at 1:35 PM, Robert Craig <robertpcraig@gmail.com>wrote:
> Doing a restorecon might be the easiest solution as described by Stephen
> Smalley. However, every time
> you reflash your phone with new images you'll have to do a restorecon on
> those apps. If you want to include
> the gapps into your build harness you'll need to modify device specific
> makefiles to PRODUCT_COPY_FILES
> from the gapps directory you have downloaded. Best bet is to look at a
> current working example under the 'vendor'
> directory for the specific device your building. Then just create a
> vendor/google to mimic its structure.
>
>
> On Thu, Jul 12, 2012 at 7:06 AM, Alexandra Test <
> testalexandrainstitute@gmail.com> wrote:
>
>> I added the gapps afterwards
>>
>>
>> On Wed, Jul 11, 2012 at 2:50 PM, Robert Craig <robertpcraig@gmail.com>wrote:
>>
>>> Are you building your system.img with the gapps? Are you adding the
>>> gapps afterwards (after the biuld and flash)?
>>> If afterwards, the denials specific to the gapps below would explain
>>> that. Try baking the gapps into the system
>>> image before the system.img is built.
>>>
>>
>> How to do that? I have a .zip file with some folder inside (system,
>> optional and meta-data )
>>
>> Thanks.
>>
>>>
>>> On Wed, Jul 11, 2012 at 6:39 AM, Alexandra Test <
>>> testalexandrainstitute@gmail.com> wrote:
>>>
>>>> Thanks for the suggestions, the phone is now working in permissive mode.
>>>> I would like to set the enforcing mode but I still have some residual
>>>> denials.
>>>> The output of the
>>>>
>>>> adb shell dmesg | grep avc
>>>>
>>>> <5>[84589.029418] type=1400 audit(1341913871.476:458): avc: denied { read } for pid=130 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2642 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[85517.133544] type=1400 audit(1341914799.582:459): avc: denied { open } for pid=10531 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[85519.959869] type=1400 audit(1341914802.410:460): avc: denied { read } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[85519.960449] type=1400 audit(1341914802.410:461): avc: denied { open } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86670.591888] type=1400 audit(1341915953.036:462): avc: denied { read } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86670.592193] type=1400 audit(1341915953.036:463): avc: denied { open } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86701.210266] type=1400 audit(1341915983.653:464): avc: denied { read } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86701.210571] type=1400 audit(1341915983.653:465): avc: denied { open } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86701.669555] type=1400 audit(1341915984.114:466): avc: denied { read } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86701.669860] type=1400 audit(1341915984.114:467): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86701.670349] type=1400 audit(1341915984.114:468): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:qtaguid:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86703.330718] type=1400 audit(1341915985.778:469): avc: denied { open } for pid=10777 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86704.572326] type=1400 audit(1341915987.020:470): avc: denied { read } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86704.573242] type=1400 audit(1341915987.020:471): avc: denied { open } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86718.670806] type=1400 audit(1341916001.114:472): avc: denied { read } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86718.671112] type=1400 audit(1341916001.114:473): avc: denied { open } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86721.909545] type=1400 audit(1341916004.356:474): avc: denied { read } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> <5>[86721.909851] type=1400 audit(1341916004.356:475): avc: denied { open } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file
>>>>
>>>>
>>>>
>>>>
>>>> Do I need to do something before changing the secure mode?
>>>>
>>>>
>>>>
>>>>
>>>> Thanks for your help
>>>>
>>>>
>>>> On Mon, Jul 9, 2012 at 10:48 PM, Stephen Smalley <sds@tycho.nsa.gov>wrote:
>>>>
>>>>> On Mon, 2012-07-02 at 16:05 +0200, Alexandra Test wrote:
>>>>>
>>>>> > I tried to install application from the google play website directly
>>>>> > from the phone but it is not working.
>>>>>
>>>>> Not sure what you mean by "not working" above. You have to separately
>>>>> install the gapps, but they work for us. Enforcing or permissive?
>>>>>
>>>>> > How to get the formal meaning of the files? I tried to look for it...
>>>>>
>>>>> seapp_contexts is only "documented" by the inline comments at the
>>>>> moment. The SELinux policy language is documented in a variety of
>>>>> places, including books (e.g. SELinux by Example, the SELinux
>>>>> Notebook),
>>>>> wiki pages (e.g. http://selinuxproject.org/page/PolicyLanguage), and
>>>>> technical reports (e.g.
>>>>> http://www.nsa.gov/research/selinux/docs.shtml#tech).
>>>>>
>>>>> > Yes, you are right, but I can't see any deny now... I only have to
>>>>> > understand how to go on...
>>>>>
>>>>> No avc messages in the output of adb shell dmesg or adb logcat?
>>>>>
>>>>>
>>>>> --
>>>>> Stephen Smalley
>>>>> National Security Agency
>>>>>
>>>>>
>>>>
>>>
>>
>
[-- Attachment #2: Type: text/html, Size: 10715 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-07-13 12:50 ` Alexandra Test
@ 2012-07-15 4:25 ` Robert Craig
2012-07-16 10:47 ` Alexandra Test
0 siblings, 1 reply; 24+ messages in thread
From: Robert Craig @ 2012-07-15 4:25 UTC (permalink / raw)
To: Alexandra Test; +Cc: Stephen Smalley, selinux
[-- Attachment #1: Type: text/plain, Size: 488 bytes --]
On Fri, Jul 13, 2012 at 8:50 AM, Alexandra Test <
testalexandrainstitute@gmail.com> wrote:
> I tried to investigate without success, so I decided to try to use the
> restorecon. is it needed to be root?
> on which files do I need to use restorecon? how?
>
>
You'll not only have to be root, but you'll also need to remount your
system partition (android mounts it read only).
I would try:
adb shell
su
mount -o rw,remount </dev/block path for your device> /system
restorecon -R /system
[-- Attachment #2: Type: text/html, Size: 849 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-07-15 4:25 ` Robert Craig
@ 2012-07-16 10:47 ` Alexandra Test
2012-07-16 12:40 ` Alexandra Test
0 siblings, 1 reply; 24+ messages in thread
From: Alexandra Test @ 2012-07-16 10:47 UTC (permalink / raw)
To: Robert Craig; +Cc: Stephen Smalley, selinux
[-- Attachment #1: Type: text/plain, Size: 619 bytes --]
it works, thank you! :-)
On Sun, Jul 15, 2012 at 6:25 AM, Robert Craig <robertpcraig@gmail.com>wrote:
> On Fri, Jul 13, 2012 at 8:50 AM, Alexandra Test <
> testalexandrainstitute@gmail.com> wrote:
>
>
>> I tried to investigate without success, so I decided to try to use the
>> restorecon. is it needed to be root?
>> on which files do I need to use restorecon? how?
>>
>>
> You'll not only have to be root, but you'll also need to remount your
> system partition (android mounts it read only).
> I would try:
> adb shell
> su
> mount -o rw,remount </dev/block path for your device> /system
> restorecon -R /system
>
[-- Attachment #2: Type: text/html, Size: 1255 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-07-16 10:47 ` Alexandra Test
@ 2012-07-16 12:40 ` Alexandra Test
2012-07-19 13:18 ` Stephen Smalley
[not found] ` <CAFftDdrDSKKeXJga_PO0LJiUsqb3VVMjnSNQFWF66K7QrJ43Bg@mail.gmail.com>
0 siblings, 2 replies; 24+ messages in thread
From: Alexandra Test @ 2012-07-16 12:40 UTC (permalink / raw)
To: Robert Craig; +Cc: Stephen Smalley, selinux
[-- Attachment #1: Type: text/plain, Size: 1145 bytes --]
My phone is now is in enforcing mode but I can not install anything.
I tried from google play but after the download, when it tries to install
says:
"the download url is not valid"
Do I have to change the policies? I saw the app.te files in
external/sepolicy in the build directory, but where can I fine the same
file on the phone?
Do I need to rebuild and reflash every time I change the policies?
On Mon, Jul 16, 2012 at 12:47 PM, Alexandra Test <
testalexandrainstitute@gmail.com> wrote:
> it works, thank you! :-)
>
>
> On Sun, Jul 15, 2012 at 6:25 AM, Robert Craig <robertpcraig@gmail.com>wrote:
>
>> On Fri, Jul 13, 2012 at 8:50 AM, Alexandra Test <
>> testalexandrainstitute@gmail.com> wrote:
>>
>>
>>> I tried to investigate without success, so I decided to try to use the
>>> restorecon. is it needed to be root?
>>> on which files do I need to use restorecon? how?
>>>
>>>
>> You'll not only have to be root, but you'll also need to remount your
>> system partition (android mounts it read only).
>> I would try:
>> adb shell
>> su
>> mount -o rw,remount </dev/block path for your device> /system
>> restorecon -R /system
>>
>
>
[-- Attachment #2: Type: text/html, Size: 2073 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-07-16 12:40 ` Alexandra Test
@ 2012-07-19 13:18 ` Stephen Smalley
[not found] ` <CAFftDdrDSKKeXJga_PO0LJiUsqb3VVMjnSNQFWF66K7QrJ43Bg@mail.gmail.com>
1 sibling, 0 replies; 24+ messages in thread
From: Stephen Smalley @ 2012-07-19 13:18 UTC (permalink / raw)
To: Alexandra Test; +Cc: Robert Craig, selinux
On Mon, 2012-07-16 at 14:40 +0200, Alexandra Test wrote:
> My phone is now is in enforcing mode but I can not install anything.
> I tried from google play but after the download, when it tries to
> install says:
> "the download url is not valid"
>
> Do I have to change the policies? I saw the app.te files in
> external/sepolicy in the build directory, but where can I fine the
> same file on the phone?
> Do I need to rebuild and reflash every time I change the policies?
Check for avc denials. With regard to updating the policy, you can
modify the policy source files, do a 'make sepolicy' to regenerate the
kernel policy file, do an 'adb push
out/target/product/<device>/root/sepolicy.24 /data/system/' and do a
'adb shell su 0 setprop selinux.loadpolicy 1' to reload policy
from /data/system rather than having to reflash the system partition
each time.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
[not found] ` <CAKi3Pup5Om=x28GW=j=LTC9z8GgrcwUoty6w8hQnPJpNaJE91w@mail.gmail.com>
@ 2012-08-09 18:23 ` William Roberts
2012-08-13 8:37 ` Alexandra Test
0 siblings, 1 reply; 24+ messages in thread
From: William Roberts @ 2012-08-09 18:23 UTC (permalink / raw)
To: Alexandra Test, selinux
I dont see any denials being cuase be gapps so thats ok.
What version if SEAndroid are you running?
You can pipe your denial logs (dmesg) through a tool called
audit2allow to get a more concise reading. It often helps to make sens
of things
adb shell dmesg | audit2allow
It looks like some things are not getting labeled properly
#============= mediaserver ==============
allow mediaserver device:chr_file { read write ioctl open };
allow mediaserver system_data_file:dir { read open };
allow mediaserver system_data_file:file open;
We dont care about shell
#============= shell ==============
allow shell device:chr_file { read write getattr ioctl };
We may need to allow this in the policy...need to put more thought in it.
#============= system ==============
allow system proc:file write;
allow system rild:unix_stream_socket connectto;
Denials explained:
allow system proc:file write is from this denial:
<5>[ 24.782653] type=1400 audit(1344517139.820:6): avc: denied {
write } for pid=404 comm="LocationManager" name="mcspi1_cs3_ctrl"
dev=proc ino=4026532651 scontext=u:r:system:s0
tcontext=u:object_r:proc:s0 tclass=file
This should be fixed on tuna/maguro device...
allow system rild:unix_stream_socket connectto is from this denial
<5>[ 25.809204] type=1400 audit(1344517140.843:7): avc: denied {
connectto } for pid=460 comm="GpsLocationProv"
path=004D756C7469636C69656E74 scontext=u:r:system:s0
tcontext=u:r:rild:s0 tclass=unix_stream_socket
This should be fixed..
Media server denies
<5>[ 26.586181] type=1400 audit(1344517141.625:8): avc: denied {
read } for pid=175 comm=42696E646572205468726561642023
name="rproc_user" dev=tmpfs ino=2868 scontext=u:r:mediaserver:s0
tcontext=u:object_r:device:s0 tclass=chr_file
<5>[ 26.586364] type=1400 audit(1344517141.625:9): avc: denied {
open } for pid=175 comm=42696E646572205468726561642023
name="rproc_user" dev=tmpfs ino=2868 scontext=u:r:mediaserver:s0
tcontext=u:object_r:device:s0 tclass=chr_file
<5>[ 26.602386] type=1400 audit(1344517141.640:10): avc: denied {
write } for pid=175 comm=42696E646572205468726561642023
name="rpmsg-omx1" dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0
tcontext=u:object_r:device:s0 tclass=chr_file
<5>[ 26.602783] type=1400 audit(1344517141.640:11): avc: denied {
ioctl } for pid=175 comm=42696E646572205468726561642023
path="/dev/rpmsg-omx1" dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0
tcontext=u:object_r:device:s0 tclass=chr_file
The problem here comes from labeling:
/dev/rpmsg-omx1 is not labeled properly but should be, it was fixed in
external/sepolicy commit ee5f4005
Make sure your seandroid is up to date, I have a feeling you need to
update your local_manifest.xml file and do a new repo sync..
I am also forwarding this to the public mailing list, so others can
learn from this and answer problems before they arise. I hope this
helps, and for now on direct these types of questions back to the
mailing list to help others out.
Bill
On Thu, Aug 9, 2012 at 6:15 AM, Alexandra Test
<testalexandrainstitute@gmail.com> wrote:
> Hi William,
> I tried again and it did not work again.
> The reason why I installed from a gapp*.zip files is because it has all the
> dependencies verified; I tried before to install from the apk, extracted
> from the phone bu it did not work.
> I did the restorecon simply with this command:
> adb shell
> su
> mount -o rw,remount /dev/block/platform/omap/omap /system
> restorecon -R /system
> It does not work! how is it possible? the phone is still in permissive mode,
> I cannot change in enforcing mode
> The list of my denials:
> <5>[ 5.459838] type=1400 audit(1344517120.492:3): avc: denied { read
> write } for pid=129 comm="sh" name="ttyFIQ0" dev=tmpfs ino=2914
> scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
> <5>[ 5.537353] type=1400 audit(1344517120.570:4): avc: denied { getattr
> } for pid=129 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2914
> scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
> <5>[ 5.538055] type=1400 audit(1344517120.570:5): avc: denied { ioctl }
> for pid=129 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2914
> scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
> <5>[ 24.782653] type=1400 audit(1344517139.820:6): avc: denied { write }
> for pid=404 comm="LocationManager" name="mcspi1_cs3_ctrl" dev=proc
> ino=4026532651 scontext=u:r:system:s0 tcontext=u:object_r:proc:s0
> tclass=file
> <5>[ 25.809204] type=1400 audit(1344517140.843:7): avc: denied {
> connectto } for pid=460 comm="GpsLocationProv"
> path=004D756C7469636C69656E74 scontext=u:r:system:s0 tcontext=u:r:rild:s0
> tclass=unix_stream_socket
> <5>[ 26.586181] type=1400 audit(1344517141.625:8): avc: denied { read }
> for pid=175 comm=42696E646572205468726561642023 name="rproc_user" dev=tmpfs
> ino=2868 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0
> tclass=chr_file
> <5>[ 26.586364] type=1400 audit(1344517141.625:9): avc: denied { open }
> for pid=175 comm=42696E646572205468726561642023 name="rproc_user" dev=tmpfs
> ino=2868 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0
> tclass=chr_file
> <5>[ 26.602386] type=1400 audit(1344517141.640:10): avc: denied { write
> } for pid=175 comm=42696E646572205468726561642023 name="rpmsg-omx1"
> dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0
> tclass=chr_file
> <5>[ 26.602783] type=1400 audit(1344517141.640:11): avc: denied { ioctl
> } for pid=175 comm=42696E646572205468726561642023 path="/dev/rpmsg-omx1"
> dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0
> tclass=chr_file
> <5>[ 26.775054] type=1400 audit(1344517141.812:12): avc: denied { read }
> for pid=175 comm=42696E646572205468726561642023
> name="R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044" dev=mmcblk0p12
> ino=138460 scontext=u:r:mediaserver:s0
> tcontext=u:object_r:system_data_file:s0 tclass=dir
> <5>[ 26.775268] type=1400 audit(1344517141.812:13): avc: denied { open }
> for pid=175 comm=42696E646572205468726561642023
> name="R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044" dev=mmcblk0p12
> ino=138460 scontext=u:r:mediaserver:s0
> tcontext=u:object_r:system_data_file:s0 tclass=dir
> <5>[ 26.775695] type=1400 audit(1344517141.812:14): avc: denied { open }
> for pid=175 comm=42696E646572205468726561642023 name="calib.bin"
> dev=mmcblk0p12 ino=138461 scontext=u:r:mediaserver:s0
> tcontext=u:object_r:system_data_file:s0 tclass=file
>
>
> Thanks for your help
>
>
>
> On Tue, Aug 7, 2012 at 7:06 PM, William Roberts <bill.c.roberts@gmail.com>
> wrote:
>>
>> 1. The seapp_contexts, file_contexts, sepolicy.24 and
>> property_contexts are in the ramdisk for the rootfs, which is in
>> boot.img. When a device is running, you will find these files in '/'.
>> (ls / will show them)
>>
>> 2. You can push any of those files, or all to /system/data and then
>> setprop selinux.reload_policy 1. See the info here:
>> http://selinuxproject.org/page/SEAndroid#SE_Android_Policy
>>
>> 3. You can extract apk's in many ways, this blog has a few:
>>
>> http://mauweb.net/3.0/en/technology/17-android/100-icon-androidextracting-apk-files-from-your-android.html
>>
>> Bill
>>
>> On Tue, Aug 7, 2012 at 1:01 AM, Alexandra Test
>> <testalexandrainstitute@gmail.com> wrote:
>> > I installed the gapp (downloaded here
>> > https://faramir.eriador.org/r/gapps-ics-20120317-signed.zip) as an
>> > indipendent package and then I used restorecon.
>> >
>> > About the policy, I have two files in external/sepolicy/seapp_context
>> > and
>> > property_context
>> > Where can I find these files in the phone memory? do I need every time
>> > to
>> > modify the source files and then provide the system building?
>> > If I want to extract the gapp from the original build how can I do that?
>> >
>> > Thanks for your help
>> >
>> >
>> >
>> > On Mon, Aug 6, 2012 at 7:44 PM, William Roberts
>> > <bill.c.roberts@gmail.com>
>> > wrote:
>> >>
>> >> It should be working, as we wrote alot of the policy for that device
>> >> and didn't experience any denials. If your installing apps from
>> >> recovery (Like gapps), make sure you use the recovery.img that gets
>> >> built and not clock-work mod.
>> >>
>> >> On Mon, Aug 6, 2012 at 3:35 AM, Alexandra Test
>> >> <testalexandrainstitute@gmail.com> wrote:
>> >> > Hi Williams,
>> >> > sorry for the late reply, I was on vacation.
>> >> > I am using a Samsung Galaxy Nexus with the tuna master branch.
>> >> >
>> >> > Thanks for your help!
>> >> > Anna
>> >> >
>> >> >
>> >> > On Wed, Jul 18, 2012 at 7:31 PM, William Roberts
>> >> > <bill.c.roberts@gmail.com>
>> >> > wrote:
>> >> >>
>> >> >> You have a lot of denials. What device and branch of code are you
>> >> >> using?
>> >> >>
>> >> >> I might be able to help you get these fixed.
>> >> >>
>> >> >> On Wed, Jul 18, 2012 at 12:24 AM, Alexandra Test
>> >> >> <testalexandrainstitute@gmail.com> wrote:
>> >> >>>
>> >> >>> Yes, in the attached files you can see the denials.
>> >> >>>
>> >> >>> In permissive mode I can install everything.
>> >> >>>
>> >> >>> Any ideas?
>> >> >>>
>> >> >>> Il giorno 16/lug/2012 18:13, "William Roberts"
>> >> >>> <bill.c.roberts@gmail.com>
>> >> >>> ha scritto:
>> >> >>>
>> >> >>>> do have any denials? does installation work in permissive mode?
>> >> >>>>
>> >> >>>> On Jul 16, 2012 5:44 AM, "Alexandra Test"
>> >> >>>> <testalexandrainstitute@gmail.com> wrote:
>> >> >>>>>
>> >> >>>>> My phone is now is in enforcing mode but I can not install
>> >> >>>>> anything.
>> >> >>>>> I tried from google play but after the download, when it tries to
>> >> >>>>> install says:
>> >> >>>>> "the download url is not valid"
>> >> >>>>>
>> >> >>>>> Do I have to change the policies? I saw the app.te files in
>> >> >>>>> external/sepolicy in the build directory, but where can I fine
>> >> >>>>> the
>> >> >>>>> same file
>> >> >>>>> on the phone?
>> >> >>>>> Do I need to rebuild and reflash every time I change the
>> >> >>>>> policies?
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> On Mon, Jul 16, 2012 at 12:47 PM, Alexandra Test
>> >> >>>>> <testalexandrainstitute@gmail.com> wrote:
>> >> >>>>>>
>> >> >>>>>> it works, thank you! :-)
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>> On Sun, Jul 15, 2012 at 6:25 AM, Robert Craig
>> >> >>>>>> <robertpcraig@gmail.com>
>> >> >>>>>> wrote:
>> >> >>>>>>>
>> >> >>>>>>> On Fri, Jul 13, 2012 at 8:50 AM, Alexandra Test
>> >> >>>>>>> <testalexandrainstitute@gmail.com> wrote:
>> >> >>>>>>>
>> >> >>>>>>>>
>> >> >>>>>>>> I tried to investigate without success, so I decided to try to
>> >> >>>>>>>> use
>> >> >>>>>>>> the restorecon. is it needed to be root?
>> >> >>>>>>>> on which files do I need to use restorecon? how?
>> >> >>>>>>>>
>> >> >>>>>>>
>> >> >>>>>>> You'll not only have to be root, but you'll also need to
>> >> >>>>>>> remount
>> >> >>>>>>> your
>> >> >>>>>>> system partition (android mounts it read only).
>> >> >>>>>>> I would try:
>> >> >>>>>>> adb shell
>> >> >>>>>>> su
>> >> >>>>>>> mount -o rw,remount </dev/block path for your device> /system
>> >> >>>>>>> restorecon -R /system
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Respectfully,
>> >> >>
>> >> >> William C Roberts
>> >> >>
>> >> >>
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Respectfully,
>> >>
>> >> William C Roberts
>> >
>> >
>>
>>
>>
>> --
>> Respectfully,
>>
>> William C Roberts
>
>
--
Respectfully,
William C Roberts
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-08-09 18:23 ` William Roberts
@ 2012-08-13 8:37 ` Alexandra Test
2012-08-13 12:31 ` Stephen Smalley
[not found] ` <CAFftDdozQQH7skpco0XtJ2HS_yjd1AYS8tNbFqQLkS9oDWEqYg@mail.gmail.com>
0 siblings, 2 replies; 24+ messages in thread
From: Alexandra Test @ 2012-08-13 8:37 UTC (permalink / raw)
To: William Roberts; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 12800 bytes --]
My version was a bit old so I decided to update it.
Unfortunately it cannot succeed, this is the error:
*update-apt-xapian-index has closedReceiving objects: 82% (4843/5898),
299.71 Mifatal: The remote end hung up unexpectedly65 MiB | 411 KiB/s *
*fatal: early EOF*
*fatal: index-pack failed*
*remote: Counting objects: 5898, done.*
*remote: Compressing objects: 100% (2778/2778), done.*
*^Cerror: Cannot fetch device-samsung-tuna77 MiB | 400 KiB/s *
I am using the master version. If I look into the folder it did not write
anything inside...
Thanks for your help
On Thu, Aug 9, 2012 at 8:23 PM, William Roberts <bill.c.roberts@gmail.com>wrote:
> I dont see any denials being cuase be gapps so thats ok.
>
> What version if SEAndroid are you running?
>
> You can pipe your denial logs (dmesg) through a tool called
> audit2allow to get a more concise reading. It often helps to make sens
> of things
>
> adb shell dmesg | audit2allow
>
> It looks like some things are not getting labeled properly
> #============= mediaserver ==============
> allow mediaserver device:chr_file { read write ioctl open };
> allow mediaserver system_data_file:dir { read open };
> allow mediaserver system_data_file:file open;
>
> We dont care about shell
> #============= shell ==============
> allow shell device:chr_file { read write getattr ioctl };
>
> We may need to allow this in the policy...need to put more thought in it.
> #============= system ==============
> allow system proc:file write;
> allow system rild:unix_stream_socket connectto;
>
> Denials explained:
> allow system proc:file write is from this denial:
> <5>[ 24.782653] type=1400 audit(1344517139.820:6): avc: denied {
> write } for pid=404 comm="LocationManager" name="mcspi1_cs3_ctrl"
> dev=proc ino=4026532651 scontext=u:r:system:s0
> tcontext=u:object_r:proc:s0 tclass=file
> This should be fixed on tuna/maguro device...
>
> allow system rild:unix_stream_socket connectto is from this denial
> <5>[ 25.809204] type=1400 audit(1344517140.843:7): avc: denied {
> connectto } for pid=460 comm="GpsLocationProv"
> path=004D756C7469636C69656E74 scontext=u:r:system:s0
> tcontext=u:r:rild:s0 tclass=unix_stream_socket
> This should be fixed..
>
> Media server denies
> <5>[ 26.586181] type=1400 audit(1344517141.625:8): avc: denied {
> read } for pid=175 comm=42696E646572205468726561642023
> name="rproc_user" dev=tmpfs ino=2868 scontext=u:r:mediaserver:s0
> tcontext=u:object_r:device:s0 tclass=chr_file
> <5>[ 26.586364] type=1400 audit(1344517141.625:9): avc: denied {
> open } for pid=175 comm=42696E646572205468726561642023
> name="rproc_user" dev=tmpfs ino=2868 scontext=u:r:mediaserver:s0
> tcontext=u:object_r:device:s0 tclass=chr_file
> <5>[ 26.602386] type=1400 audit(1344517141.640:10): avc: denied {
> write } for pid=175 comm=42696E646572205468726561642023
> name="rpmsg-omx1" dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0
> tcontext=u:object_r:device:s0 tclass=chr_file
> <5>[ 26.602783] type=1400 audit(1344517141.640:11): avc: denied {
> ioctl } for pid=175 comm=42696E646572205468726561642023
> path="/dev/rpmsg-omx1" dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0
> tcontext=u:object_r:device:s0 tclass=chr_file
>
> The problem here comes from labeling:
> /dev/rpmsg-omx1 is not labeled properly but should be, it was fixed in
> external/sepolicy commit ee5f4005
>
> Make sure your seandroid is up to date, I have a feeling you need to
> update your local_manifest.xml file and do a new repo sync..
>
> I am also forwarding this to the public mailing list, so others can
> learn from this and answer problems before they arise. I hope this
> helps, and for now on direct these types of questions back to the
> mailing list to help others out.
>
> Bill
>
> On Thu, Aug 9, 2012 at 6:15 AM, Alexandra Test
> <testalexandrainstitute@gmail.com> wrote:
> > Hi William,
> > I tried again and it did not work again.
> > The reason why I installed from a gapp*.zip files is because it has all
> the
> > dependencies verified; I tried before to install from the apk, extracted
> > from the phone bu it did not work.
> > I did the restorecon simply with this command:
> > adb shell
> > su
> > mount -o rw,remount /dev/block/platform/omap/omap /system
> > restorecon -R /system
> > It does not work! how is it possible? the phone is still in permissive
> mode,
> > I cannot change in enforcing mode
> > The list of my denials:
> > <5>[ 5.459838] type=1400 audit(1344517120.492:3): avc: denied { read
> > write } for pid=129 comm="sh" name="ttyFIQ0" dev=tmpfs ino=2914
> > scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
> > <5>[ 5.537353] type=1400 audit(1344517120.570:4): avc: denied {
> getattr
> > } for pid=129 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2914
> > scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
> > <5>[ 5.538055] type=1400 audit(1344517120.570:5): avc: denied {
> ioctl }
> > for pid=129 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2914
> > scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
> > <5>[ 24.782653] type=1400 audit(1344517139.820:6): avc: denied {
> write }
> > for pid=404 comm="LocationManager" name="mcspi1_cs3_ctrl" dev=proc
> > ino=4026532651 scontext=u:r:system:s0 tcontext=u:object_r:proc:s0
> > tclass=file
> > <5>[ 25.809204] type=1400 audit(1344517140.843:7): avc: denied {
> > connectto } for pid=460 comm="GpsLocationProv"
> > path=004D756C7469636C69656E74 scontext=u:r:system:s0 tcontext=u:r:rild:s0
> > tclass=unix_stream_socket
> > <5>[ 26.586181] type=1400 audit(1344517141.625:8): avc: denied {
> read }
> > for pid=175 comm=42696E646572205468726561642023 name="rproc_user"
> dev=tmpfs
> > ino=2868 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0
> > tclass=chr_file
> > <5>[ 26.586364] type=1400 audit(1344517141.625:9): avc: denied {
> open }
> > for pid=175 comm=42696E646572205468726561642023 name="rproc_user"
> dev=tmpfs
> > ino=2868 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0
> > tclass=chr_file
> > <5>[ 26.602386] type=1400 audit(1344517141.640:10): avc: denied {
> write
> > } for pid=175 comm=42696E646572205468726561642023 name="rpmsg-omx1"
> > dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0
> tcontext=u:object_r:device:s0
> > tclass=chr_file
> > <5>[ 26.602783] type=1400 audit(1344517141.640:11): avc: denied {
> ioctl
> > } for pid=175 comm=42696E646572205468726561642023 path="/dev/rpmsg-omx1"
> > dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0
> tcontext=u:object_r:device:s0
> > tclass=chr_file
> > <5>[ 26.775054] type=1400 audit(1344517141.812:12): avc: denied {
> read }
> > for pid=175 comm=42696E646572205468726561642023
> > name="R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044" dev=mmcblk0p12
> > ino=138460 scontext=u:r:mediaserver:s0
> > tcontext=u:object_r:system_data_file:s0 tclass=dir
> > <5>[ 26.775268] type=1400 audit(1344517141.812:13): avc: denied {
> open }
> > for pid=175 comm=42696E646572205468726561642023
> > name="R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044" dev=mmcblk0p12
> > ino=138460 scontext=u:r:mediaserver:s0
> > tcontext=u:object_r:system_data_file:s0 tclass=dir
> > <5>[ 26.775695] type=1400 audit(1344517141.812:14): avc: denied {
> open }
> > for pid=175 comm=42696E646572205468726561642023 name="calib.bin"
> > dev=mmcblk0p12 ino=138461 scontext=u:r:mediaserver:s0
> > tcontext=u:object_r:system_data_file:s0 tclass=file
> >
> >
> > Thanks for your help
> >
> >
> >
> > On Tue, Aug 7, 2012 at 7:06 PM, William Roberts <
> bill.c.roberts@gmail.com>
> > wrote:
> >>
> >> 1. The seapp_contexts, file_contexts, sepolicy.24 and
> >> property_contexts are in the ramdisk for the rootfs, which is in
> >> boot.img. When a device is running, you will find these files in '/'.
> >> (ls / will show them)
> >>
> >> 2. You can push any of those files, or all to /system/data and then
> >> setprop selinux.reload_policy 1. See the info here:
> >> http://selinuxproject.org/page/SEAndroid#SE_Android_Policy
> >>
> >> 3. You can extract apk's in many ways, this blog has a few:
> >>
> >>
> http://mauweb.net/3.0/en/technology/17-android/100-icon-androidextracting-apk-files-from-your-android.html
> >>
> >> Bill
> >>
> >> On Tue, Aug 7, 2012 at 1:01 AM, Alexandra Test
> >> <testalexandrainstitute@gmail.com> wrote:
> >> > I installed the gapp (downloaded here
> >> > https://faramir.eriador.org/r/gapps-ics-20120317-signed.zip) as an
> >> > indipendent package and then I used restorecon.
> >> >
> >> > About the policy, I have two files in external/sepolicy/seapp_context
> >> > and
> >> > property_context
> >> > Where can I find these files in the phone memory? do I need every time
> >> > to
> >> > modify the source files and then provide the system building?
> >> > If I want to extract the gapp from the original build how can I do
> that?
> >> >
> >> > Thanks for your help
> >> >
> >> >
> >> >
> >> > On Mon, Aug 6, 2012 at 7:44 PM, William Roberts
> >> > <bill.c.roberts@gmail.com>
> >> > wrote:
> >> >>
> >> >> It should be working, as we wrote alot of the policy for that device
> >> >> and didn't experience any denials. If your installing apps from
> >> >> recovery (Like gapps), make sure you use the recovery.img that gets
> >> >> built and not clock-work mod.
> >> >>
> >> >> On Mon, Aug 6, 2012 at 3:35 AM, Alexandra Test
> >> >> <testalexandrainstitute@gmail.com> wrote:
> >> >> > Hi Williams,
> >> >> > sorry for the late reply, I was on vacation.
> >> >> > I am using a Samsung Galaxy Nexus with the tuna master branch.
> >> >> >
> >> >> > Thanks for your help!
> >> >> > Anna
> >> >> >
> >> >> >
> >> >> > On Wed, Jul 18, 2012 at 7:31 PM, William Roberts
> >> >> > <bill.c.roberts@gmail.com>
> >> >> > wrote:
> >> >> >>
> >> >> >> You have a lot of denials. What device and branch of code are you
> >> >> >> using?
> >> >> >>
> >> >> >> I might be able to help you get these fixed.
> >> >> >>
> >> >> >> On Wed, Jul 18, 2012 at 12:24 AM, Alexandra Test
> >> >> >> <testalexandrainstitute@gmail.com> wrote:
> >> >> >>>
> >> >> >>> Yes, in the attached files you can see the denials.
> >> >> >>>
> >> >> >>> In permissive mode I can install everything.
> >> >> >>>
> >> >> >>> Any ideas?
> >> >> >>>
> >> >> >>> Il giorno 16/lug/2012 18:13, "William Roberts"
> >> >> >>> <bill.c.roberts@gmail.com>
> >> >> >>> ha scritto:
> >> >> >>>
> >> >> >>>> do have any denials? does installation work in permissive mode?
> >> >> >>>>
> >> >> >>>> On Jul 16, 2012 5:44 AM, "Alexandra Test"
> >> >> >>>> <testalexandrainstitute@gmail.com> wrote:
> >> >> >>>>>
> >> >> >>>>> My phone is now is in enforcing mode but I can not install
> >> >> >>>>> anything.
> >> >> >>>>> I tried from google play but after the download, when it tries
> to
> >> >> >>>>> install says:
> >> >> >>>>> "the download url is not valid"
> >> >> >>>>>
> >> >> >>>>> Do I have to change the policies? I saw the app.te files in
> >> >> >>>>> external/sepolicy in the build directory, but where can I fine
> >> >> >>>>> the
> >> >> >>>>> same file
> >> >> >>>>> on the phone?
> >> >> >>>>> Do I need to rebuild and reflash every time I change the
> >> >> >>>>> policies?
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>> On Mon, Jul 16, 2012 at 12:47 PM, Alexandra Test
> >> >> >>>>> <testalexandrainstitute@gmail.com> wrote:
> >> >> >>>>>>
> >> >> >>>>>> it works, thank you! :-)
> >> >> >>>>>>
> >> >> >>>>>>
> >> >> >>>>>> On Sun, Jul 15, 2012 at 6:25 AM, Robert Craig
> >> >> >>>>>> <robertpcraig@gmail.com>
> >> >> >>>>>> wrote:
> >> >> >>>>>>>
> >> >> >>>>>>> On Fri, Jul 13, 2012 at 8:50 AM, Alexandra Test
> >> >> >>>>>>> <testalexandrainstitute@gmail.com> wrote:
> >> >> >>>>>>>
> >> >> >>>>>>>>
> >> >> >>>>>>>> I tried to investigate without success, so I decided to try
> to
> >> >> >>>>>>>> use
> >> >> >>>>>>>> the restorecon. is it needed to be root?
> >> >> >>>>>>>> on which files do I need to use restorecon? how?
> >> >> >>>>>>>>
> >> >> >>>>>>>
> >> >> >>>>>>> You'll not only have to be root, but you'll also need to
> >> >> >>>>>>> remount
> >> >> >>>>>>> your
> >> >> >>>>>>> system partition (android mounts it read only).
> >> >> >>>>>>> I would try:
> >> >> >>>>>>> adb shell
> >> >> >>>>>>> su
> >> >> >>>>>>> mount -o rw,remount </dev/block path for your device> /system
> >> >> >>>>>>> restorecon -R /system
> >> >> >>>>>>
> >> >> >>>>>>
> >> >> >>>>>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> Respectfully,
> >> >> >>
> >> >> >> William C Roberts
> >> >> >>
> >> >> >>
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Respectfully,
> >> >>
> >> >> William C Roberts
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Respectfully,
> >>
> >> William C Roberts
> >
> >
>
>
>
> --
> Respectfully,
>
> William C Roberts
>
[-- Attachment #2: Type: text/html, Size: 18583 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-08-13 8:37 ` Alexandra Test
@ 2012-08-13 12:31 ` Stephen Smalley
[not found] ` <CAFftDdozQQH7skpco0XtJ2HS_yjd1AYS8tNbFqQLkS9oDWEqYg@mail.gmail.com>
1 sibling, 0 replies; 24+ messages in thread
From: Stephen Smalley @ 2012-08-13 12:31 UTC (permalink / raw)
To: Alexandra Test; +Cc: William Roberts, selinux
On Mon, 2012-08-13 at 10:37 +0200, Alexandra Test wrote:
> My version was a bit old so I decided to update it.
>
> Unfortunately it cannot succeed, this is the error:
> update-apt-xapian-index has closedReceiving objects: 82% (4843/5898),
> 299.71 Mifatal: The remote end hung up unexpectedly65 MiB | 411
> KiB/s
> fatal: early EOF
> fatal: index-pack failed
> remote: Counting objects: 5898, done.
> remote: Compressing objects: 100% (2778/2778), done.
> ^Cerror: Cannot fetch device-samsung-tuna77 MiB | 400 KiB/s
>
> I am using the master version. If I look into the folder it did not
> write anything inside...
Previously discussed on list (subject was "Cloning Android repo's from
bitbucket"). The problem is that the tuna project is very large and
apparently git clone via https falls over for such a large project from
bitbucket.org. Options for resolving:
1) Switch to using ssh access. Requires creating a registered bitbucket
account first with ssh keys. To use this approach, create an account on
bitbucket.org, upload your public ssh key, and switch to the master-ssh
branch of the manifests project to get the local_manifest.xml file using
ssh access.
-or-
2) Do your repo sync first without the local_manifest.xml file (i.e.
just download AOSP), then move the local_manifest.xml file into place
and run repo sync again. This should fetch the original projects from
AOSP which in turn should reduce what it has to fetch from bitbucket.org
to just our changes.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
[not found] ` <CAFftDdozQQH7skpco0XtJ2HS_yjd1AYS8tNbFqQLkS9oDWEqYg@mail.gmail.com>
@ 2012-08-14 10:42 ` Alexandra Test
2012-08-14 14:33 ` Stephen Smalley
0 siblings, 1 reply; 24+ messages in thread
From: Alexandra Test @ 2012-08-14 10:42 UTC (permalink / raw)
To: William Roberts, selinux
[-- Attachment #1: Type: text/plain, Size: 15847 bytes --]
When I try to check out the aosp, it fails with this error
File "/home/ubuntu-user/Selinux/.repo/repo/main.py", line 385, in <module>
_Main(sys.argv[1:])
File "/home/ubuntu-user/Selinux/.repo/repo/main.py", line 365, in _Main
result = repo._Run(argv) or 0
File "/home/ubuntu-user/Selinux/.repo/repo/main.py", line 137, in _Run
result = cmd.Execute(copts, cargs)
File "/home/ubuntu-user/Selinux/.repo/repo/subcmds/sync.py", line 469, in
Execute
project.Sync_LocalHalf(syncbuf)
File "/home/ubuntu-user/Selinux/.repo/repo/project.py", line 1049, in
Sync_LocalHalf
lost = self._revlist(not_rev(revid), HEAD)
File "/home/ubuntu-user/Selinux/.repo/repo/project.py", line 1791, in
_revlist
return self.work_git.rev_list(*a, **kw)
File "/home/ubuntu-user/Selinux/.repo/repo/project.py", line 1936, in
rev_list
p.stderr))
error.GitError: dalvik rev-list
('^938208a28b56f360c6cb0fb3a5e57d6121924a93', 'HEAD', '--'): fatal: bad
object HEAD
Any idea?
On Mon, Aug 13, 2012 at 8:01 PM, William Roberts
<bill.c.roberts@gmail.com>wrote:
> I would delete your local_manifest.xml file under .repo and then do
> another sync on it.
>
> Once you can check out aosp cleanly, then I would move back to getting
> the SEAndroid add ons.. Also, the remotes for seandroid moved to
> bitbucket and we have issues with non-ssh checkouts over it. I would
> do an ssh checkout by:
>
> creating a bitbucket.org account and adding an ssh key
>
> git clone git://git.selinuxproject.org/~seandroid/manifests<http://git.selinuxproject.org/%7Eseandroid/manifests>
>
> cd manifests
> git checkout -b master-ssh origin/master-ssh
> cp local_manifest.xml to .repo directory
>
> Then do a new repo sync...
>
> Bill
>
> On Mon, Aug 13, 2012 at 1:37 AM, Alexandra Test
> <testalexandrainstitute@gmail.com> wrote:
> > My version was a bit old so I decided to update it.
> >
> > Unfortunately it cannot succeed, this is the error:
> > update-apt-xapian-index has closedReceiving objects: 82% (4843/5898),
> > 299.71 Mifatal: The remote end hung up unexpectedly65 MiB | 411 KiB/s
> > fatal: early EOF
> > fatal: index-pack failed
> > remote: Counting objects: 5898, done.
> > remote: Compressing objects: 100% (2778/2778), done.
> > ^Cerror: Cannot fetch device-samsung-tuna77 MiB | 400 KiB/s
> > I am using the master version. If I look into the folder it did not write
> > anything inside...
> >
> > Thanks for your help
> >
> > On Thu, Aug 9, 2012 at 8:23 PM, William Roberts <
> bill.c.roberts@gmail.com>
> > wrote:
> >>
> >> I dont see any denials being cuase be gapps so thats ok.
> >>
> >> What version if SEAndroid are you running?
> >>
> >> You can pipe your denial logs (dmesg) through a tool called
> >> audit2allow to get a more concise reading. It often helps to make sens
> >> of things
> >>
> >> adb shell dmesg | audit2allow
> >>
> >> It looks like some things are not getting labeled properly
> >> #============= mediaserver ==============
> >> allow mediaserver device:chr_file { read write ioctl open };
> >> allow mediaserver system_data_file:dir { read open };
> >> allow mediaserver system_data_file:file open;
> >>
> >> We dont care about shell
> >> #============= shell ==============
> >> allow shell device:chr_file { read write getattr ioctl };
> >>
> >> We may need to allow this in the policy...need to put more thought in
> it.
> >> #============= system ==============
> >> allow system proc:file write;
> >> allow system rild:unix_stream_socket connectto;
> >>
> >> Denials explained:
> >> allow system proc:file write is from this denial:
> >> <5>[ 24.782653] type=1400 audit(1344517139.820:6): avc: denied {
> >> write } for pid=404 comm="LocationManager" name="mcspi1_cs3_ctrl"
> >> dev=proc ino=4026532651 scontext=u:r:system:s0
> >> tcontext=u:object_r:proc:s0 tclass=file
> >> This should be fixed on tuna/maguro device...
> >>
> >> allow system rild:unix_stream_socket connectto is from this denial
> >> <5>[ 25.809204] type=1400 audit(1344517140.843:7): avc: denied {
> >> connectto } for pid=460 comm="GpsLocationProv"
> >> path=004D756C7469636C69656E74 scontext=u:r:system:s0
> >> tcontext=u:r:rild:s0 tclass=unix_stream_socket
> >> This should be fixed..
> >>
> >> Media server denies
> >> <5>[ 26.586181] type=1400 audit(1344517141.625:8): avc: denied {
> >> read } for pid=175 comm=42696E646572205468726561642023
> >> name="rproc_user" dev=tmpfs ino=2868 scontext=u:r:mediaserver:s0
> >> tcontext=u:object_r:device:s0 tclass=chr_file
> >> <5>[ 26.586364] type=1400 audit(1344517141.625:9): avc: denied {
> >> open } for pid=175 comm=42696E646572205468726561642023
> >> name="rproc_user" dev=tmpfs ino=2868 scontext=u:r:mediaserver:s0
> >> tcontext=u:object_r:device:s0 tclass=chr_file
> >> <5>[ 26.602386] type=1400 audit(1344517141.640:10): avc: denied {
> >> write } for pid=175 comm=42696E646572205468726561642023
> >> name="rpmsg-omx1" dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0
> >> tcontext=u:object_r:device:s0 tclass=chr_file
> >> <5>[ 26.602783] type=1400 audit(1344517141.640:11): avc: denied {
> >> ioctl } for pid=175 comm=42696E646572205468726561642023
> >> path="/dev/rpmsg-omx1" dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0
> >> tcontext=u:object_r:device:s0 tclass=chr_file
> >>
> >> The problem here comes from labeling:
> >> /dev/rpmsg-omx1 is not labeled properly but should be, it was fixed in
> >> external/sepolicy commit ee5f4005
> >>
> >> Make sure your seandroid is up to date, I have a feeling you need to
> >> update your local_manifest.xml file and do a new repo sync..
> >>
> >> I am also forwarding this to the public mailing list, so others can
> >> learn from this and answer problems before they arise. I hope this
> >> helps, and for now on direct these types of questions back to the
> >> mailing list to help others out.
> >>
> >> Bill
> >>
> >> On Thu, Aug 9, 2012 at 6:15 AM, Alexandra Test
> >> <testalexandrainstitute@gmail.com> wrote:
> >> > Hi William,
> >> > I tried again and it did not work again.
> >> > The reason why I installed from a gapp*.zip files is because it has
> all
> >> > the
> >> > dependencies verified; I tried before to install from the apk,
> extracted
> >> > from the phone bu it did not work.
> >> > I did the restorecon simply with this command:
> >> > adb shell
> >> > su
> >> > mount -o rw,remount /dev/block/platform/omap/omap /system
> >> > restorecon -R /system
> >> > It does not work! how is it possible? the phone is still in permissive
> >> > mode,
> >> > I cannot change in enforcing mode
> >> > The list of my denials:
> >> > <5>[ 5.459838] type=1400 audit(1344517120.492:3): avc: denied {
> >> > read
> >> > write } for pid=129 comm="sh" name="ttyFIQ0" dev=tmpfs ino=2914
> >> > scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
> >> > <5>[ 5.537353] type=1400 audit(1344517120.570:4): avc: denied {
> >> > getattr
> >> > } for pid=129 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2914
> >> > scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
> >> > <5>[ 5.538055] type=1400 audit(1344517120.570:5): avc: denied {
> >> > ioctl }
> >> > for pid=129 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2914
> >> > scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file
> >> > <5>[ 24.782653] type=1400 audit(1344517139.820:6): avc: denied {
> >> > write }
> >> > for pid=404 comm="LocationManager" name="mcspi1_cs3_ctrl" dev=proc
> >> > ino=4026532651 scontext=u:r:system:s0 tcontext=u:object_r:proc:s0
> >> > tclass=file
> >> > <5>[ 25.809204] type=1400 audit(1344517140.843:7): avc: denied {
> >> > connectto } for pid=460 comm="GpsLocationProv"
> >> > path=004D756C7469636C69656E74 scontext=u:r:system:s0
> >> > tcontext=u:r:rild:s0
> >> > tclass=unix_stream_socket
> >> > <5>[ 26.586181] type=1400 audit(1344517141.625:8): avc: denied {
> >> > read }
> >> > for pid=175 comm=42696E646572205468726561642023 name="rproc_user"
> >> > dev=tmpfs
> >> > ino=2868 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0
> >> > tclass=chr_file
> >> > <5>[ 26.586364] type=1400 audit(1344517141.625:9): avc: denied {
> >> > open }
> >> > for pid=175 comm=42696E646572205468726561642023 name="rproc_user"
> >> > dev=tmpfs
> >> > ino=2868 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0
> >> > tclass=chr_file
> >> > <5>[ 26.602386] type=1400 audit(1344517141.640:10): avc: denied {
> >> > write
> >> > } for pid=175 comm=42696E646572205468726561642023 name="rpmsg-omx1"
> >> > dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0
> >> > tcontext=u:object_r:device:s0
> >> > tclass=chr_file
> >> > <5>[ 26.602783] type=1400 audit(1344517141.640:11): avc: denied {
> >> > ioctl
> >> > } for pid=175 comm=42696E646572205468726561642023
> >> > path="/dev/rpmsg-omx1"
> >> > dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0
> >> > tcontext=u:object_r:device:s0
> >> > tclass=chr_file
> >> > <5>[ 26.775054] type=1400 audit(1344517141.812:12): avc: denied {
> >> > read }
> >> > for pid=175 comm=42696E646572205468726561642023
> >> > name="R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044" dev=mmcblk0p12
> >> > ino=138460 scontext=u:r:mediaserver:s0
> >> > tcontext=u:object_r:system_data_file:s0 tclass=dir
> >> > <5>[ 26.775268] type=1400 audit(1344517141.812:13): avc: denied {
> >> > open }
> >> > for pid=175 comm=42696E646572205468726561642023
> >> > name="R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044" dev=mmcblk0p12
> >> > ino=138460 scontext=u:r:mediaserver:s0
> >> > tcontext=u:object_r:system_data_file:s0 tclass=dir
> >> > <5>[ 26.775695] type=1400 audit(1344517141.812:14): avc: denied {
> >> > open }
> >> > for pid=175 comm=42696E646572205468726561642023 name="calib.bin"
> >> > dev=mmcblk0p12 ino=138461 scontext=u:r:mediaserver:s0
> >> > tcontext=u:object_r:system_data_file:s0 tclass=file
> >> >
> >> >
> >> > Thanks for your help
> >> >
> >> >
> >> >
> >> > On Tue, Aug 7, 2012 at 7:06 PM, William Roberts
> >> > <bill.c.roberts@gmail.com>
> >> > wrote:
> >> >>
> >> >> 1. The seapp_contexts, file_contexts, sepolicy.24 and
> >> >> property_contexts are in the ramdisk for the rootfs, which is in
> >> >> boot.img. When a device is running, you will find these files in '/'.
> >> >> (ls / will show them)
> >> >>
> >> >> 2. You can push any of those files, or all to /system/data and then
> >> >> setprop selinux.reload_policy 1. See the info here:
> >> >> http://selinuxproject.org/page/SEAndroid#SE_Android_Policy
> >> >>
> >> >> 3. You can extract apk's in many ways, this blog has a few:
> >> >>
> >> >>
> >> >>
> http://mauweb.net/3.0/en/technology/17-android/100-icon-androidextracting-apk-files-from-your-android.html
> >> >>
> >> >> Bill
> >> >>
> >> >> On Tue, Aug 7, 2012 at 1:01 AM, Alexandra Test
> >> >> <testalexandrainstitute@gmail.com> wrote:
> >> >> > I installed the gapp (downloaded here
> >> >> > https://faramir.eriador.org/r/gapps-ics-20120317-signed.zip) as an
> >> >> > indipendent package and then I used restorecon.
> >> >> >
> >> >> > About the policy, I have two files in
> external/sepolicy/seapp_context
> >> >> > and
> >> >> > property_context
> >> >> > Where can I find these files in the phone memory? do I need every
> >> >> > time
> >> >> > to
> >> >> > modify the source files and then provide the system building?
> >> >> > If I want to extract the gapp from the original build how can I do
> >> >> > that?
> >> >> >
> >> >> > Thanks for your help
> >> >> >
> >> >> >
> >> >> >
> >> >> > On Mon, Aug 6, 2012 at 7:44 PM, William Roberts
> >> >> > <bill.c.roberts@gmail.com>
> >> >> > wrote:
> >> >> >>
> >> >> >> It should be working, as we wrote alot of the policy for that
> device
> >> >> >> and didn't experience any denials. If your installing apps from
> >> >> >> recovery (Like gapps), make sure you use the recovery.img that
> gets
> >> >> >> built and not clock-work mod.
> >> >> >>
> >> >> >> On Mon, Aug 6, 2012 at 3:35 AM, Alexandra Test
> >> >> >> <testalexandrainstitute@gmail.com> wrote:
> >> >> >> > Hi Williams,
> >> >> >> > sorry for the late reply, I was on vacation.
> >> >> >> > I am using a Samsung Galaxy Nexus with the tuna master branch.
> >> >> >> >
> >> >> >> > Thanks for your help!
> >> >> >> > Anna
> >> >> >> >
> >> >> >> >
> >> >> >> > On Wed, Jul 18, 2012 at 7:31 PM, William Roberts
> >> >> >> > <bill.c.roberts@gmail.com>
> >> >> >> > wrote:
> >> >> >> >>
> >> >> >> >> You have a lot of denials. What device and branch of code are
> you
> >> >> >> >> using?
> >> >> >> >>
> >> >> >> >> I might be able to help you get these fixed.
> >> >> >> >>
> >> >> >> >> On Wed, Jul 18, 2012 at 12:24 AM, Alexandra Test
> >> >> >> >> <testalexandrainstitute@gmail.com> wrote:
> >> >> >> >>>
> >> >> >> >>> Yes, in the attached files you can see the denials.
> >> >> >> >>>
> >> >> >> >>> In permissive mode I can install everything.
> >> >> >> >>>
> >> >> >> >>> Any ideas?
> >> >> >> >>>
> >> >> >> >>> Il giorno 16/lug/2012 18:13, "William Roberts"
> >> >> >> >>> <bill.c.roberts@gmail.com>
> >> >> >> >>> ha scritto:
> >> >> >> >>>
> >> >> >> >>>> do have any denials? does installation work in permissive
> mode?
> >> >> >> >>>>
> >> >> >> >>>> On Jul 16, 2012 5:44 AM, "Alexandra Test"
> >> >> >> >>>> <testalexandrainstitute@gmail.com> wrote:
> >> >> >> >>>>>
> >> >> >> >>>>> My phone is now is in enforcing mode but I can not install
> >> >> >> >>>>> anything.
> >> >> >> >>>>> I tried from google play but after the download, when it
> tries
> >> >> >> >>>>> to
> >> >> >> >>>>> install says:
> >> >> >> >>>>> "the download url is not valid"
> >> >> >> >>>>>
> >> >> >> >>>>> Do I have to change the policies? I saw the app.te files in
> >> >> >> >>>>> external/sepolicy in the build directory, but where can I
> fine
> >> >> >> >>>>> the
> >> >> >> >>>>> same file
> >> >> >> >>>>> on the phone?
> >> >> >> >>>>> Do I need to rebuild and reflash every time I change the
> >> >> >> >>>>> policies?
> >> >> >> >>>>>
> >> >> >> >>>>>
> >> >> >> >>>>>
> >> >> >> >>>>> On Mon, Jul 16, 2012 at 12:47 PM, Alexandra Test
> >> >> >> >>>>> <testalexandrainstitute@gmail.com> wrote:
> >> >> >> >>>>>>
> >> >> >> >>>>>> it works, thank you! :-)
> >> >> >> >>>>>>
> >> >> >> >>>>>>
> >> >> >> >>>>>> On Sun, Jul 15, 2012 at 6:25 AM, Robert Craig
> >> >> >> >>>>>> <robertpcraig@gmail.com>
> >> >> >> >>>>>> wrote:
> >> >> >> >>>>>>>
> >> >> >> >>>>>>> On Fri, Jul 13, 2012 at 8:50 AM, Alexandra Test
> >> >> >> >>>>>>> <testalexandrainstitute@gmail.com> wrote:
> >> >> >> >>>>>>>
> >> >> >> >>>>>>>>
> >> >> >> >>>>>>>> I tried to investigate without success, so I decided to
> try
> >> >> >> >>>>>>>> to
> >> >> >> >>>>>>>> use
> >> >> >> >>>>>>>> the restorecon. is it needed to be root?
> >> >> >> >>>>>>>> on which files do I need to use restorecon? how?
> >> >> >> >>>>>>>>
> >> >> >> >>>>>>>
> >> >> >> >>>>>>> You'll not only have to be root, but you'll also need to
> >> >> >> >>>>>>> remount
> >> >> >> >>>>>>> your
> >> >> >> >>>>>>> system partition (android mounts it read only).
> >> >> >> >>>>>>> I would try:
> >> >> >> >>>>>>> adb shell
> >> >> >> >>>>>>> su
> >> >> >> >>>>>>> mount -o rw,remount </dev/block path for your device>
> >> >> >> >>>>>>> /system
> >> >> >> >>>>>>> restorecon -R /system
> >> >> >> >>>>>>
> >> >> >> >>>>>>
> >> >> >> >>>>>
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> --
> >> >> >> >> Respectfully,
> >> >> >> >>
> >> >> >> >> William C Roberts
> >> >> >> >>
> >> >> >> >>
> >> >> >> >
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> Respectfully,
> >> >> >>
> >> >> >> William C Roberts
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Respectfully,
> >> >>
> >> >> William C Roberts
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Respectfully,
> >>
> >> William C Roberts
> >
> >
>
>
>
> --
> Respectfully,
>
> William C Roberts
>
[-- Attachment #2: Type: text/html, Size: 24276 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-08-14 10:42 ` Alexandra Test
@ 2012-08-14 14:33 ` Stephen Smalley
2012-08-14 15:38 ` Radzykewycz, T (Radzy)
0 siblings, 1 reply; 24+ messages in thread
From: Stephen Smalley @ 2012-08-14 14:33 UTC (permalink / raw)
To: Alexandra Test; +Cc: William Roberts, selinux
On Tue, 2012-08-14 at 12:42 +0200, Alexandra Test wrote:
> When I try to check out the aosp, it fails with this error
> File "/home/ubuntu-user/Selinux/.repo/repo/main.py", line 385, in
> <module>
> _Main(sys.argv[1:])
> File "/home/ubuntu-user/Selinux/.repo/repo/main.py", line 365, in
> _Main
> result = repo._Run(argv) or 0
> File "/home/ubuntu-user/Selinux/.repo/repo/main.py", line 137, in
> _Run
> result = cmd.Execute(copts, cargs)
> File "/home/ubuntu-user/Selinux/.repo/repo/subcmds/sync.py", line
> 469, in Execute
> project.Sync_LocalHalf(syncbuf)
> File "/home/ubuntu-user/Selinux/.repo/repo/project.py", line 1049,
> in Sync_LocalHalf
> lost = self._revlist(not_rev(revid), HEAD)
> File "/home/ubuntu-user/Selinux/.repo/repo/project.py", line 1791,
> in _revlist
> return self.work_git.rev_list(*a, **kw)
> File "/home/ubuntu-user/Selinux/.repo/repo/project.py", line 1936,
> in rev_list
> p.stderr))
> error.GitError: dalvik rev-list
> ('^938208a28b56f360c6cb0fb3a5e57d6121924a93', 'HEAD', '--'): fatal:
> bad object HEAD
>
> Any idea?
No, never seen that one. Try creating a fresh client in an empty
directory (without any .repo subdirectory) from AOSP. Might want to
also make sure you are using an up-to-date version of repo.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 24+ messages in thread
* RE: SE Android (Was: Re: Welcome to selinux)
2012-08-14 14:33 ` Stephen Smalley
@ 2012-08-14 15:38 ` Radzykewycz, T (Radzy)
2012-08-14 17:19 ` Alexandra Test
0 siblings, 1 reply; 24+ messages in thread
From: Radzykewycz, T (Radzy) @ 2012-08-14 15:38 UTC (permalink / raw)
To: selinux
When I've seen similar problems in the past, it was usually (always?) caused because a git pull or git clone had been interrupted at the wrong place. My normal workaround is to remove the corrupted project. In this case, I think that may be "rm -rf .repo/projects/dalvik.git dalvik"
________________________________________
From: owner-selinux@tycho.nsa.gov [owner-selinux@tycho.nsa.gov] on behalf of Stephen Smalley [sds@tycho.nsa.gov]
Sent: Tuesday, August 14, 2012 7:33 AM
To: Alexandra Test
Cc: William Roberts; selinux@tycho.nsa.gov
Subject: Re: SE Android (Was: Re: Welcome to selinux)
On Tue, 2012-08-14 at 12:42 +0200, Alexandra Test wrote:
> When I try to check out the aosp, it fails with this error
> File "/home/ubuntu-user/Selinux/.repo/repo/main.py", line 385, in
> <module>
> _Main(sys.argv[1:])
> File "/home/ubuntu-user/Selinux/.repo/repo/main.py", line 365, in
> _Main
> result = repo._Run(argv) or 0
> File "/home/ubuntu-user/Selinux/.repo/repo/main.py", line 137, in
> _Run
> result = cmd.Execute(copts, cargs)
> File "/home/ubuntu-user/Selinux/.repo/repo/subcmds/sync.py", line
> 469, in Execute
> project.Sync_LocalHalf(syncbuf)
> File "/home/ubuntu-user/Selinux/.repo/repo/project.py", line 1049,
> in Sync_LocalHalf
> lost = self._revlist(not_rev(revid), HEAD)
> File "/home/ubuntu-user/Selinux/.repo/repo/project.py", line 1791,
> in _revlist
> return self.work_git.rev_list(*a, **kw)
> File "/home/ubuntu-user/Selinux/.repo/repo/project.py", line 1936,
> in rev_list
> p.stderr))
> error.GitError: dalvik rev-list
> ('^938208a28b56f360c6cb0fb3a5e57d6121924a93', 'HEAD', '--'): fatal:
> bad object HEAD
>
> Any idea?
No, never seen that one. Try creating a fresh client in an empty
directory (without any .repo subdirectory) from AOSP. Might want to
also make sure you are using an up-to-date version of repo.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SE Android (Was: Re: Welcome to selinux)
2012-08-14 15:38 ` Radzykewycz, T (Radzy)
@ 2012-08-14 17:19 ` Alexandra Test
0 siblings, 0 replies; 24+ messages in thread
From: Alexandra Test @ 2012-08-14 17:19 UTC (permalink / raw)
To: Radzykewycz, T (Radzy); +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 2713 bytes --]
Thank you very much!
I tried to remove the .repo folder but i did not solve.
I solve checking out all the source from the bitbucket folder.
On Tue, Aug 14, 2012 at 5:38 PM, Radzykewycz, T (Radzy) <radzy@windriver.com
> wrote:
> When I've seen similar problems in the past, it was usually (always?)
> caused because a git pull or git clone had been interrupted at the wrong
> place. My normal workaround is to remove the corrupted project. In this
> case, I think that may be "rm -rf .repo/projects/dalvik.git dalvik"
>
>
> ________________________________________
> From: owner-selinux@tycho.nsa.gov [owner-selinux@tycho.nsa.gov] on behalf
> of Stephen Smalley [sds@tycho.nsa.gov]
> Sent: Tuesday, August 14, 2012 7:33 AM
> To: Alexandra Test
> Cc: William Roberts; selinux@tycho.nsa.gov
> Subject: Re: SE Android (Was: Re: Welcome to selinux)
>
> On Tue, 2012-08-14 at 12:42 +0200, Alexandra Test wrote:
> > When I try to check out the aosp, it fails with this error
> > File "/home/ubuntu-user/Selinux/.repo/repo/main.py", line 385, in
> > <module>
> > _Main(sys.argv[1:])
> > File "/home/ubuntu-user/Selinux/.repo/repo/main.py", line 365, in
> > _Main
> > result = repo._Run(argv) or 0
> > File "/home/ubuntu-user/Selinux/.repo/repo/main.py", line 137, in
> > _Run
> > result = cmd.Execute(copts, cargs)
> > File "/home/ubuntu-user/Selinux/.repo/repo/subcmds/sync.py", line
> > 469, in Execute
> > project.Sync_LocalHalf(syncbuf)
> > File "/home/ubuntu-user/Selinux/.repo/repo/project.py", line 1049,
> > in Sync_LocalHalf
> > lost = self._revlist(not_rev(revid), HEAD)
> > File "/home/ubuntu-user/Selinux/.repo/repo/project.py", line 1791,
> > in _revlist
> > return self.work_git.rev_list(*a, **kw)
> > File "/home/ubuntu-user/Selinux/.repo/repo/project.py", line 1936,
> > in rev_list
> > p.stderr))
> > error.GitError: dalvik rev-list
> > ('^938208a28b56f360c6cb0fb3a5e57d6121924a93', 'HEAD', '--'): fatal:
> > bad object HEAD
> >
> > Any idea?
>
> No, never seen that one. Try creating a fresh client in an empty
> directory (without any .repo subdirectory) from AOSP. Might want to
> also make sure you are using an up-to-date version of repo.
>
> --
> Stephen Smalley
> National Security Agency
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
> the words "unsubscribe selinux" without quotes as the message.
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
> the words "unsubscribe selinux" without quotes as the message.
>
[-- Attachment #2: Type: text/html, Size: 3691 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2012-08-14 17:19 UTC | newest]
Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <201206211329.q5LDT6PW031262@tarius.tycho.ncsc.mil>
[not found] ` <CAKi3Pur-Ne8vAfbw6t4hutrqJO73x=wOaHvTg8dca4W-LUOuLg@mail.gmail.com>
[not found] ` <1340288275.4234.48.camel@moss-pluto.epoch.ncsc.mil>
2012-06-29 9:59 ` Welcome to selinux Alexandra Test
2012-06-29 10:17 ` Alexandra Test
2012-06-29 13:59 ` Alexandra Test
2012-06-29 14:19 ` Radzykewycz, T (Radzy)
2012-06-29 14:38 ` Stephen Smalley
2012-07-02 14:05 ` Alexandra Test
2012-07-09 20:48 ` SE Android (Was: Re: Welcome to selinux) Stephen Smalley
2012-07-11 10:39 ` Alexandra Test
2012-07-11 12:50 ` Robert Craig
2012-07-12 11:06 ` Alexandra Test
2012-07-12 11:35 ` Robert Craig
2012-07-13 12:50 ` Alexandra Test
2012-07-15 4:25 ` Robert Craig
2012-07-16 10:47 ` Alexandra Test
2012-07-16 12:40 ` Alexandra Test
2012-07-19 13:18 ` Stephen Smalley
[not found] ` <CAFftDdrDSKKeXJga_PO0LJiUsqb3VVMjnSNQFWF66K7QrJ43Bg@mail.gmail.com>
[not found] ` <CAKi3Puo0PqmsVkcTqJRDhNq5w6J_yVdS=_MPNSC28K0QP0CxXQ@mail.gmail.com>
[not found] ` <CAFftDdqD+o=hXRyCP5nKc4OmELX50XLWAL2t-9VPi_vKPB-grA@mail.gmail.com>
[not found] ` <CAKi3Pur1UD+_6YrZ6gj9sJ4yef6Yfim=OOi6R-Lek5Beo41LQw@mail.gmail.com>
[not found] ` <CAFftDdrUz4NkMKd29rLnhddE1B0dLtJA8DbGZqucovsNbsqo0w@mail.gmail.com>
[not found] ` <CAKi3PupwHSYPcRYyUNEeXM3py-FjtbrZUd5nGDUwfdwdKRgVZw@mail.gmail.com>
[not found] ` <CAFftDdocfYJd5JukcFMut+CuKmxCQ5TsNnGr=zb29qyRGKvLyA@mail.gmail.com>
[not found] ` <CAKi3Pup5Om=x28GW=j=LTC9z8GgrcwUoty6w8hQnPJpNaJE91w@mail.gmail.com>
2012-08-09 18:23 ` William Roberts
2012-08-13 8:37 ` Alexandra Test
2012-08-13 12:31 ` Stephen Smalley
[not found] ` <CAFftDdozQQH7skpco0XtJ2HS_yjd1AYS8tNbFqQLkS9oDWEqYg@mail.gmail.com>
2012-08-14 10:42 ` Alexandra Test
2012-08-14 14:33 ` Stephen Smalley
2012-08-14 15:38 ` Radzykewycz, T (Radzy)
2012-08-14 17:19 ` Alexandra Test
2012-07-11 12:56 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.