* SEAndroid app data labeling
@ 2012-01-25 15:12 Joshua Brindle
2012-01-25 18:26 ` James Carter
0 siblings, 1 reply; 6+ messages in thread
From: Joshua Brindle @ 2012-01-25 15:12 UTC (permalink / raw)
To: SE Linux; +Cc: Stephen Smalley
I'm working through some denials with SEAndroid on Galaxy Nexus and I'm confused
about app data labeling. I thought that the app data would be labeled with the
same category as the app, so c13 app would have c13 on the files in /data. I see
the note in seapp_contexts that levelfromUID only works on apps. How do you get
filesystem separation without labeling the apps with the category?
Also, I'm getting denials like this, which I'm a little confused about since
trusted_app is part of appdomain and appdomain has create_file_perms on
app_data_file. I'm not sure how untrusted_app would be able to keep any state
since everything in /data/data seems to be labeled app_data_file though:
<5>[ 25.067932] type=1400 audit(1327503267.632:59): avc: denied { add_name }
for pid=461 comm="ContactsProvide" name="contacts2.db-mj1A7E80AF"
scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:app_data_file:s0 tclass=dir
<5>[ 25.148498] type=1400 audit(1327503267.718:60): avc: denied {
remove_name } for pid=461 comm="ContactsProvide" name="contacts2.db-mj1A7E80AF"
dev=mmcblk0p12 ino=578665 scontext=u:r:trusted_app:s0:c0
tcontext=u:object_r:app_data_file:s0 tclass=dir
<5>[ 26.209320] type=1400 audit(1327503268.773:61): avc: denied { write }
for pid=570 comm="viders.calendar" name="calendar.db" dev=mmcblk0p12 ino=578386
scontext=u:r:trusted_app:s0:c6 tcontext=u:object_r:app_data_file:s0 tclass=file
<5>[ 26.263183] type=1400 audit(1327503268.828:62): avc: denied { setattr }
for pid=570 comm="viders.calendar" name="calendar.db" dev=mmcblk0p12 ino=578386
scontext=u:r:trusted_app:s0:c6 tcontext=u:object_r:app_data_file:s0 tclass=file
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SEAndroid app data labeling
2012-01-25 15:12 SEAndroid app data labeling Joshua Brindle
@ 2012-01-25 18:26 ` James Carter
2012-01-25 18:56 ` James Carter
0 siblings, 1 reply; 6+ messages in thread
From: James Carter @ 2012-01-25 18:26 UTC (permalink / raw)
To: Joshua Brindle; +Cc: SE Linux, Stephen Smalley
On Wed, 2012-01-25 at 10:12 -0500, Joshua Brindle wrote:
> I'm working through some denials with SEAndroid on Galaxy Nexus and I'm confused
> about app data labeling. I thought that the app data would be labeled with the
> same category as the app, so c13 app would have c13 on the files in /data. I see
> the note in seapp_contexts that levelfromUID only works on apps. How do you get
> filesystem separation without labeling the apps with the category?
>
>
On both the emulator and my Nexus S, the files in /data/data are labeled
with categories.
> Also, I'm getting denials like this, which I'm a little confused about since
> trusted_app is part of appdomain and appdomain has create_file_perms on
> app_data_file. I'm not sure how untrusted_app would be able to keep any state
> since everything in /data/data seems to be labeled app_data_file though:
>
> <5>[ 25.067932] type=1400 audit(1327503267.632:59): avc: denied { add_name }
> for pid=461 comm="ContactsProvide" name="contacts2.db-mj1A7E80AF"
> scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:app_data_file:s0 tclass=dir
> <5>[ 25.148498] type=1400 audit(1327503267.718:60): avc: denied {
> remove_name } for pid=461 comm="ContactsProvide" name="contacts2.db-mj1A7E80AF"
> dev=mmcblk0p12 ino=578665 scontext=u:r:trusted_app:s0:c0
> tcontext=u:object_r:app_data_file:s0 tclass=dir
> <5>[ 26.209320] type=1400 audit(1327503268.773:61): avc: denied { write }
> for pid=570 comm="viders.calendar" name="calendar.db" dev=mmcblk0p12 ino=578386
> scontext=u:r:trusted_app:s0:c6 tcontext=u:object_r:app_data_file:s0 tclass=file
> <5>[ 26.263183] type=1400 audit(1327503268.828:62): avc: denied { setattr }
> for pid=570 comm="viders.calendar" name="calendar.db" dev=mmcblk0p12 ino=578386
> scontext=u:r:trusted_app:s0:c6 tcontext=u:object_r:app_data_file:s0 tclass=file
>
I believe that these are from MLS constraints on writing down.
I don't think your /data/data is labeled properly.
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SEAndroid app data labeling
2012-01-25 18:26 ` James Carter
@ 2012-01-25 18:56 ` James Carter
2012-01-25 19:53 ` Joshua Brindle
0 siblings, 1 reply; 6+ messages in thread
From: James Carter @ 2012-01-25 18:56 UTC (permalink / raw)
To: Joshua Brindle; +Cc: SE Linux, Stephen Smalley
On Wed, 2012-01-25 at 13:26 -0500, James Carter wrote:
> On Wed, 2012-01-25 at 10:12 -0500, Joshua Brindle wrote:
> > I'm working through some denials with SEAndroid on Galaxy Nexus and I'm confused
> > about app data labeling. I thought that the app data would be labeled with the
> > same category as the app, so c13 app would have c13 on the files in /data. I see
> > the note in seapp_contexts that levelfromUID only works on apps. How do you get
> > filesystem separation without labeling the apps with the category?
> >
> >
> On both the emulator and my Nexus S, the files in /data/data are labeled
> with categories.
>
> > Also, I'm getting denials like this, which I'm a little confused about since
> > trusted_app is part of appdomain and appdomain has create_file_perms on
> > app_data_file. I'm not sure how untrusted_app would be able to keep any state
> > since everything in /data/data seems to be labeled app_data_file though:
> >
> > <5>[ 25.067932] type=1400 audit(1327503267.632:59): avc: denied { add_name }
> > for pid=461 comm="ContactsProvide" name="contacts2.db-mj1A7E80AF"
> > scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:app_data_file:s0 tclass=dir
> > <5>[ 25.148498] type=1400 audit(1327503267.718:60): avc: denied {
> > remove_name } for pid=461 comm="ContactsProvide" name="contacts2.db-mj1A7E80AF"
> > dev=mmcblk0p12 ino=578665 scontext=u:r:trusted_app:s0:c0
> > tcontext=u:object_r:app_data_file:s0 tclass=dir
> > <5>[ 26.209320] type=1400 audit(1327503268.773:61): avc: denied { write }
> > for pid=570 comm="viders.calendar" name="calendar.db" dev=mmcblk0p12 ino=578386
> > scontext=u:r:trusted_app:s0:c6 tcontext=u:object_r:app_data_file:s0 tclass=file
> > <5>[ 26.263183] type=1400 audit(1327503268.828:62): avc: denied { setattr }
> > for pid=570 comm="viders.calendar" name="calendar.db" dev=mmcblk0p12 ino=578386
> > scontext=u:r:trusted_app:s0:c6 tcontext=u:object_r:app_data_file:s0 tclass=file
> >
>
> I believe that these are from MLS constraints on writing down.
>
> I don't think your /data/data is labeled properly.
>
Did you wipe everything when you did the install? (The "-w" in "fastboot
-w flashall" causes user data to be erased.)
At this point in the project, any existing app data would have to be
manually labeled.
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SEAndroid app data labeling
2012-01-25 18:56 ` James Carter
@ 2012-01-25 19:53 ` Joshua Brindle
2012-01-25 20:50 ` Stephen Smalley
0 siblings, 1 reply; 6+ messages in thread
From: Joshua Brindle @ 2012-01-25 19:53 UTC (permalink / raw)
To: jwcart2; +Cc: SE Linux, Stephen Smalley
James Carter wrote:
>> >
> Did you wipe everything when you did the install? (The "-w" in "fastboot
> -w flashall" causes user data to be erased.)
>
> At this point in the project, any existing app data would have to be
> manually labeled.
>
I do -w every time. I'll try to figure out what is going on.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SEAndroid app data labeling
2012-01-25 19:53 ` Joshua Brindle
@ 2012-01-25 20:50 ` Stephen Smalley
2012-01-25 22:03 ` Joshua Brindle
0 siblings, 1 reply; 6+ messages in thread
From: Stephen Smalley @ 2012-01-25 20:50 UTC (permalink / raw)
To: Joshua Brindle; +Cc: jwcart2, SE Linux
On Wed, 2012-01-25 at 14:53 -0500, Joshua Brindle wrote:
> James Carter wrote:
> >> >
> > Did you wipe everything when you did the install? (The "-w" in "fastboot
> > -w flashall" causes user data to be erased.)
> >
> > At this point in the project, any existing app data would have to be
> > manually labeled.
> >
>
> I do -w every time. I'll try to figure out what is going on.
FWIW, installd is the program that does the labeling of the app data
directories.
When did you last do a repo sync?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SEAndroid app data labeling
2012-01-25 20:50 ` Stephen Smalley
@ 2012-01-25 22:03 ` Joshua Brindle
0 siblings, 0 replies; 6+ messages in thread
From: Joshua Brindle @ 2012-01-25 22:03 UTC (permalink / raw)
To: Stephen Smalley; +Cc: jwcart2, SE Linux
Stephen Smalley wrote:
> On Wed, 2012-01-25 at 14:53 -0500, Joshua Brindle wrote:
>> James Carter wrote:
>>> Did you wipe everything when you did the install? (The "-w" in "fastboot
>>> -w flashall" causes user data to be erased.)
>>>
>>> At this point in the project, any existing app data would have to be
>>> manually labeled.
>>>
>> I do -w every time. I'll try to figure out what is going on.
>
> FWIW, installd is the program that does the labeling of the app data
> directories.
>
> When did you last do a repo sync?
>
A couple days ago. I have a Xoom I can try it on as well, since you have
verified it works there. I'll repo sync and try a build for the Xoom tonight.
Thanks.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-01-25 22:03 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-01-25 15:12 SEAndroid app data labeling Joshua Brindle
2012-01-25 18:26 ` James Carter
2012-01-25 18:56 ` James Carter
2012-01-25 19:53 ` Joshua Brindle
2012-01-25 20:50 ` Stephen Smalley
2012-01-25 22:03 ` Joshua Brindle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.