Are you building your system.img with the gapps? Are you adding the gapps afterwards (after the biuld and flash)? If afterwards, the denials specific to the gapps below would explain that. Try baking the gapps into the system image before the system.img is built. On Wed, Jul 11, 2012 at 6:39 AM, Alexandra Test < testalexandrainstitute@gmail.com> wrote: > Thanks for the suggestions, the phone is now working in permissive mode. > I would like to set the enforcing mode but I still have some residual > denials. > The output of the > > adb shell dmesg | grep avc > > <5>[84589.029418] type=1400 audit(1341913871.476:458): avc: denied { read } for pid=130 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2642 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file > > <5>[85517.133544] type=1400 audit(1341914799.582:459): avc: denied { open } for pid=10531 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file > > <5>[85519.959869] type=1400 audit(1341914802.410:460): avc: denied { read } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file > > <5>[85519.960449] type=1400 audit(1341914802.410:461): avc: denied { open } for pid=338 comm="ndroid.systemui" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file > > <5>[86670.591888] type=1400 audit(1341915953.036:462): avc: denied { read } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file > > <5>[86670.592193] type=1400 audit(1341915953.036:463): avc: denied { open } for pid=10727 comm="id.partnersetup" name="GooglePartnerSetup.apk" dev=mmcblk0p10 ino=971 scontext=u:r:trusted_app:s0:c52 tcontext=u:object_r:unlabeled:s0 tclass=file > > <5>[86701.210266] type=1400 audit(1341915983.653:464): avc: denied { read } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file > > <5>[86701.210571] type=1400 audit(1341915983.653:465): avc: denied { open } for pid=10754 comm="apters.calendar" name="GoogleCalendarSyncAdapter.apk" dev=mmcblk0p10 ino=967 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:unlabeled:s0 tclass=file > > <5>[86701.669555] type=1400 audit(1341915984.114:466): avc: denied { read } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file > > <5>[86701.669860] type=1400 audit(1341915984.114:467): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="xt_qtaguid" dev=tmpfs ino=2623 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:device:s0 tclass=chr_file > > <5>[86701.670349] type=1400 audit(1341915984.114:468): avc: denied { open } for pid=10770 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c50 tcontext=u:object_r:qtaguid:s0 tclass=file > > <5>[86703.330718] type=1400 audit(1341915985.778:469): avc: denied { open } for pid=10777 comm="SyncAdapterThre" name="ctrl" dev=proc ino=4026533139 scontext=u:r:trusted_app:s0:c46 tcontext=u:object_r:qtaguid:s0 tclass=file > > <5>[86704.572326] type=1400 audit(1341915987.020:470): avc: denied { read } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file > > <5>[86704.573242] type=1400 audit(1341915987.020:471): avc: denied { open } for pid=10781 comm="e.process.gapps" name="GoogleServicesFramework.apk" dev=mmcblk0p10 ino=973 scontext=u:r:trusted_app:s0:c48 tcontext=u:object_r:unlabeled:s0 tclass=file > > <5>[86718.670806] type=1400 audit(1341916001.114:472): avc: denied { read } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file > > <5>[86718.671112] type=1400 audit(1341916001.114:473): avc: denied { open } for pid=10820 comm="le.android.talk" name="Talk.apk" dev=mmcblk0p10 ino=980 scontext=u:r:trusted_app:s0:c59 tcontext=u:object_r:unlabeled:s0 tclass=file > > <5>[86721.909545] type=1400 audit(1341916004.356:474): avc: denied { read } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file > > <5>[86721.909851] type=1400 audit(1341916004.356:475): avc: denied { open } for pid=10863 comm="ApplicationsPro" name="Gmail.apk" dev=mmcblk0p10 ino=965 scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:unlabeled:s0 tclass=file > > Do I need to do something before changing the secure mode? > > Thanks for your help > > > On Mon, Jul 9, 2012 at 10:48 PM, Stephen Smalley wrote: > >> On Mon, 2012-07-02 at 16:05 +0200, Alexandra Test wrote: >> >> > I tried to install application from the google play website directly >> > from the phone but it is not working. >> >> Not sure what you mean by "not working" above. You have to separately >> install the gapps, but they work for us. Enforcing or permissive? >> >> > How to get the formal meaning of the files? I tried to look for it... >> >> seapp_contexts is only "documented" by the inline comments at the >> moment. The SELinux policy language is documented in a variety of >> places, including books (e.g. SELinux by Example, the SELinux Notebook), >> wiki pages (e.g. http://selinuxproject.org/page/PolicyLanguage), and >> technical reports (e.g. >> http://www.nsa.gov/research/selinux/docs.shtml#tech). >> >> > Yes, you are right, but I can't see any deny now... I only have to >> > understand how to go on... >> >> No avc messages in the output of adb shell dmesg or adb logcat? >> >> >> -- >> Stephen Smalley >> National Security Agency >> >> >