From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id q7D8bujZ020355 for ; Mon, 13 Aug 2012 04:37:56 -0400 Received: by wgbez12 with SMTP id ez12so2504132wgb.30 for ; Mon, 13 Aug 2012 01:37:38 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <201206211329.q5LDT6PW031262@tarius.tycho.ncsc.mil> <1340288275.4234.48.camel@moss-pluto.epoch.ncsc.mil> <1340980684.15948.7.camel@moss-pluto.epoch.ncsc.mil> <1341866938.10134.23.camel@moss-pluto.epoch.ncsc.mil> Date: Mon, 13 Aug 2012 10:37:37 +0200 Message-ID: Subject: Re: SE Android (Was: Re: Welcome to selinux) From: Alexandra Test To: William Roberts Cc: selinux@tycho.nsa.gov Content-Type: multipart/alternative; boundary=e0cb4e43d0af29d9b004c7219b99 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --e0cb4e43d0af29d9b004c7219b99 Content-Type: text/plain; charset=ISO-8859-1 My version was a bit old so I decided to update it. Unfortunately it cannot succeed, this is the error: *update-apt-xapian-index has closedReceiving objects: 82% (4843/5898), 299.71 Mifatal: The remote end hung up unexpectedly65 MiB | 411 KiB/s * *fatal: early EOF* *fatal: index-pack failed* *remote: Counting objects: 5898, done.* *remote: Compressing objects: 100% (2778/2778), done.* *^Cerror: Cannot fetch device-samsung-tuna77 MiB | 400 KiB/s * I am using the master version. If I look into the folder it did not write anything inside... Thanks for your help On Thu, Aug 9, 2012 at 8:23 PM, William Roberts wrote: > I dont see any denials being cuase be gapps so thats ok. > > What version if SEAndroid are you running? > > You can pipe your denial logs (dmesg) through a tool called > audit2allow to get a more concise reading. It often helps to make sens > of things > > adb shell dmesg | audit2allow > > It looks like some things are not getting labeled properly > #============= mediaserver ============== > allow mediaserver device:chr_file { read write ioctl open }; > allow mediaserver system_data_file:dir { read open }; > allow mediaserver system_data_file:file open; > > We dont care about shell > #============= shell ============== > allow shell device:chr_file { read write getattr ioctl }; > > We may need to allow this in the policy...need to put more thought in it. > #============= system ============== > allow system proc:file write; > allow system rild:unix_stream_socket connectto; > > Denials explained: > allow system proc:file write is from this denial: > <5>[ 24.782653] type=1400 audit(1344517139.820:6): avc: denied { > write } for pid=404 comm="LocationManager" name="mcspi1_cs3_ctrl" > dev=proc ino=4026532651 scontext=u:r:system:s0 > tcontext=u:object_r:proc:s0 tclass=file > This should be fixed on tuna/maguro device... > > allow system rild:unix_stream_socket connectto is from this denial > <5>[ 25.809204] type=1400 audit(1344517140.843:7): avc: denied { > connectto } for pid=460 comm="GpsLocationProv" > path=004D756C7469636C69656E74 scontext=u:r:system:s0 > tcontext=u:r:rild:s0 tclass=unix_stream_socket > This should be fixed.. > > Media server denies > <5>[ 26.586181] type=1400 audit(1344517141.625:8): avc: denied { > read } for pid=175 comm=42696E646572205468726561642023 > name="rproc_user" dev=tmpfs ino=2868 scontext=u:r:mediaserver:s0 > tcontext=u:object_r:device:s0 tclass=chr_file > <5>[ 26.586364] type=1400 audit(1344517141.625:9): avc: denied { > open } for pid=175 comm=42696E646572205468726561642023 > name="rproc_user" dev=tmpfs ino=2868 scontext=u:r:mediaserver:s0 > tcontext=u:object_r:device:s0 tclass=chr_file > <5>[ 26.602386] type=1400 audit(1344517141.640:10): avc: denied { > write } for pid=175 comm=42696E646572205468726561642023 > name="rpmsg-omx1" dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0 > tcontext=u:object_r:device:s0 tclass=chr_file > <5>[ 26.602783] type=1400 audit(1344517141.640:11): avc: denied { > ioctl } for pid=175 comm=42696E646572205468726561642023 > path="/dev/rpmsg-omx1" dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0 > tcontext=u:object_r:device:s0 tclass=chr_file > > The problem here comes from labeling: > /dev/rpmsg-omx1 is not labeled properly but should be, it was fixed in > external/sepolicy commit ee5f4005 > > Make sure your seandroid is up to date, I have a feeling you need to > update your local_manifest.xml file and do a new repo sync.. > > I am also forwarding this to the public mailing list, so others can > learn from this and answer problems before they arise. I hope this > helps, and for now on direct these types of questions back to the > mailing list to help others out. > > Bill > > On Thu, Aug 9, 2012 at 6:15 AM, Alexandra Test > wrote: > > Hi William, > > I tried again and it did not work again. > > The reason why I installed from a gapp*.zip files is because it has all > the > > dependencies verified; I tried before to install from the apk, extracted > > from the phone bu it did not work. > > I did the restorecon simply with this command: > > adb shell > > su > > mount -o rw,remount /dev/block/platform/omap/omap /system > > restorecon -R /system > > It does not work! how is it possible? the phone is still in permissive > mode, > > I cannot change in enforcing mode > > The list of my denials: > > <5>[ 5.459838] type=1400 audit(1344517120.492:3): avc: denied { read > > write } for pid=129 comm="sh" name="ttyFIQ0" dev=tmpfs ino=2914 > > scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file > > <5>[ 5.537353] type=1400 audit(1344517120.570:4): avc: denied { > getattr > > } for pid=129 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2914 > > scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file > > <5>[ 5.538055] type=1400 audit(1344517120.570:5): avc: denied { > ioctl } > > for pid=129 comm="sh" path="/dev/ttyFIQ0" dev=tmpfs ino=2914 > > scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file > > <5>[ 24.782653] type=1400 audit(1344517139.820:6): avc: denied { > write } > > for pid=404 comm="LocationManager" name="mcspi1_cs3_ctrl" dev=proc > > ino=4026532651 scontext=u:r:system:s0 tcontext=u:object_r:proc:s0 > > tclass=file > > <5>[ 25.809204] type=1400 audit(1344517140.843:7): avc: denied { > > connectto } for pid=460 comm="GpsLocationProv" > > path=004D756C7469636C69656E74 scontext=u:r:system:s0 tcontext=u:r:rild:s0 > > tclass=unix_stream_socket > > <5>[ 26.586181] type=1400 audit(1344517141.625:8): avc: denied { > read } > > for pid=175 comm=42696E646572205468726561642023 name="rproc_user" > dev=tmpfs > > ino=2868 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0 > > tclass=chr_file > > <5>[ 26.586364] type=1400 audit(1344517141.625:9): avc: denied { > open } > > for pid=175 comm=42696E646572205468726561642023 name="rproc_user" > dev=tmpfs > > ino=2868 scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0 > > tclass=chr_file > > <5>[ 26.602386] type=1400 audit(1344517141.640:10): avc: denied { > write > > } for pid=175 comm=42696E646572205468726561642023 name="rpmsg-omx1" > > dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0 > tcontext=u:object_r:device:s0 > > tclass=chr_file > > <5>[ 26.602783] type=1400 audit(1344517141.640:11): avc: denied { > ioctl > > } for pid=175 comm=42696E646572205468726561642023 path="/dev/rpmsg-omx1" > > dev=tmpfs ino=3045 scontext=u:r:mediaserver:s0 > tcontext=u:object_r:device:s0 > > tclass=chr_file > > <5>[ 26.775054] type=1400 audit(1344517141.812:12): avc: denied { > read } > > for pid=175 comm=42696E646572205468726561642023 > > name="R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044" dev=mmcblk0p12 > > ino=138460 scontext=u:r:mediaserver:s0 > > tcontext=u:object_r:system_data_file:s0 tclass=dir > > <5>[ 26.775268] type=1400 audit(1344517141.812:13): avc: denied { > open } > > for pid=175 comm=42696E646572205468726561642023 > > name="R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044" dev=mmcblk0p12 > > ino=138460 scontext=u:r:mediaserver:s0 > > tcontext=u:object_r:system_data_file:s0 tclass=dir > > <5>[ 26.775695] type=1400 audit(1344517141.812:14): avc: denied { > open } > > for pid=175 comm=42696E646572205468726561642023 name="calib.bin" > > dev=mmcblk0p12 ino=138461 scontext=u:r:mediaserver:s0 > > tcontext=u:object_r:system_data_file:s0 tclass=file > > > > > > Thanks for your help > > > > > > > > On Tue, Aug 7, 2012 at 7:06 PM, William Roberts < > bill.c.roberts@gmail.com> > > wrote: > >> > >> 1. The seapp_contexts, file_contexts, sepolicy.24 and > >> property_contexts are in the ramdisk for the rootfs, which is in > >> boot.img. When a device is running, you will find these files in '/'. > >> (ls / will show them) > >> > >> 2. You can push any of those files, or all to /system/data and then > >> setprop selinux.reload_policy 1. See the info here: > >> http://selinuxproject.org/page/SEAndroid#SE_Android_Policy > >> > >> 3. You can extract apk's in many ways, this blog has a few: > >> > >> > http://mauweb.net/3.0/en/technology/17-android/100-icon-androidextracting-apk-files-from-your-android.html > >> > >> Bill > >> > >> On Tue, Aug 7, 2012 at 1:01 AM, Alexandra Test > >> wrote: > >> > I installed the gapp (downloaded here > >> > https://faramir.eriador.org/r/gapps-ics-20120317-signed.zip) as an > >> > indipendent package and then I used restorecon. > >> > > >> > About the policy, I have two files in external/sepolicy/seapp_context > >> > and > >> > property_context > >> > Where can I find these files in the phone memory? do I need every time > >> > to > >> > modify the source files and then provide the system building? > >> > If I want to extract the gapp from the original build how can I do > that? > >> > > >> > Thanks for your help > >> > > >> > > >> > > >> > On Mon, Aug 6, 2012 at 7:44 PM, William Roberts > >> > > >> > wrote: > >> >> > >> >> It should be working, as we wrote alot of the policy for that device > >> >> and didn't experience any denials. If your installing apps from > >> >> recovery (Like gapps), make sure you use the recovery.img that gets > >> >> built and not clock-work mod. > >> >> > >> >> On Mon, Aug 6, 2012 at 3:35 AM, Alexandra Test > >> >> wrote: > >> >> > Hi Williams, > >> >> > sorry for the late reply, I was on vacation. > >> >> > I am using a Samsung Galaxy Nexus with the tuna master branch. > >> >> > > >> >> > Thanks for your help! > >> >> > Anna > >> >> > > >> >> > > >> >> > On Wed, Jul 18, 2012 at 7:31 PM, William Roberts > >> >> > > >> >> > wrote: > >> >> >> > >> >> >> You have a lot of denials. What device and branch of code are you > >> >> >> using? > >> >> >> > >> >> >> I might be able to help you get these fixed. > >> >> >> > >> >> >> On Wed, Jul 18, 2012 at 12:24 AM, Alexandra Test > >> >> >> wrote: > >> >> >>> > >> >> >>> Yes, in the attached files you can see the denials. > >> >> >>> > >> >> >>> In permissive mode I can install everything. > >> >> >>> > >> >> >>> Any ideas? > >> >> >>> > >> >> >>> Il giorno 16/lug/2012 18:13, "William Roberts" > >> >> >>> > >> >> >>> ha scritto: > >> >> >>> > >> >> >>>> do have any denials? does installation work in permissive mode? > >> >> >>>> > >> >> >>>> On Jul 16, 2012 5:44 AM, "Alexandra Test" > >> >> >>>> wrote: > >> >> >>>>> > >> >> >>>>> My phone is now is in enforcing mode but I can not install > >> >> >>>>> anything. > >> >> >>>>> I tried from google play but after the download, when it tries > to > >> >> >>>>> install says: > >> >> >>>>> "the download url is not valid" > >> >> >>>>> > >> >> >>>>> Do I have to change the policies? I saw the app.te files in > >> >> >>>>> external/sepolicy in the build directory, but where can I fine > >> >> >>>>> the > >> >> >>>>> same file > >> >> >>>>> on the phone? > >> >> >>>>> Do I need to rebuild and reflash every time I change the > >> >> >>>>> policies? > >> >> >>>>> > >> >> >>>>> > >> >> >>>>> > >> >> >>>>> On Mon, Jul 16, 2012 at 12:47 PM, Alexandra Test > >> >> >>>>> wrote: > >> >> >>>>>> > >> >> >>>>>> it works, thank you! :-) > >> >> >>>>>> > >> >> >>>>>> > >> >> >>>>>> On Sun, Jul 15, 2012 at 6:25 AM, Robert Craig > >> >> >>>>>> > >> >> >>>>>> wrote: > >> >> >>>>>>> > >> >> >>>>>>> On Fri, Jul 13, 2012 at 8:50 AM, Alexandra Test > >> >> >>>>>>> wrote: > >> >> >>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> I tried to investigate without success, so I decided to try > to > >> >> >>>>>>>> use > >> >> >>>>>>>> the restorecon. is it needed to be root? > >> >> >>>>>>>> on which files do I need to use restorecon? how? > >> >> >>>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> You'll not only have to be root, but you'll also need to > >> >> >>>>>>> remount > >> >> >>>>>>> your > >> >> >>>>>>> system partition (android mounts it read only). > >> >> >>>>>>> I would try: > >> >> >>>>>>> adb shell > >> >> >>>>>>> su > >> >> >>>>>>> mount -o rw,remount /system > >> >> >>>>>>> restorecon -R /system > >> >> >>>>>> > >> >> >>>>>> > >> >> >>>>> > >> >> >> > >> >> >> > >> >> >> > >> >> >> -- > >> >> >> Respectfully, > >> >> >> > >> >> >> William C Roberts > >> >> >> > >> >> >> > >> >> > > >> >> > >> >> > >> >> > >> >> -- > >> >> Respectfully, > >> >> > >> >> William C Roberts > >> > > >> > > >> > >> > >> > >> -- > >> Respectfully, > >> > >> William C Roberts > > > > > > > > -- > Respectfully, > > William C Roberts > --e0cb4e43d0af29d9b004c7219b99 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable My version was a bit old so I decided to update it.

Unfortunately it= cannot succeed, this is the error:
u= pdate-apt-xapian-index has closedReceiving objects:=A0 82% (4843/5898), 299= .71 Mifatal: The remote end hung up unexpectedly65 MiB | 411 KiB/s=A0=A0=A0=
fatal: early EOF
fatal: index-pack failed
remote: Co= unting objects: 5898, done.
remote: Compressing objects: 100% (27= 78/2778), done.
^Cerror: Cannot fetch device-samsung-tuna77 MiB |= 400 KiB/s=A0
I am using the master version. If I look into the folder it did not w= rite anything inside...

Thanks for your help

On Thu, Aug 9, 2012 at 8:23 PM, William Roberts <bill.c.= roberts@gmail.com> wrote:
I dont see any denials being cuase be gapps = so thats ok.

What version if SEAndroid are you running?

You can pipe your denial logs (dmesg) through a tool called
audit2allow to get a more concise reading. It often helps to make sens
of things

adb shell dmesg | audit2allow

It looks like some things are not getting labeled properly
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D mediaserver =3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D
allow mediaserver device:chr_file { read write ioctl open };
allow mediaserver system_data_file:dir { read open };
allow mediaserver system_data_file:file open;

We dont care about shell
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D shell =3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D
allow shell device:chr_file { read write getattr ioctl };

We may need to allow this in the policy...need to put more thought in it. #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D system =3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D
allow system proc:file write;
allow system rild:unix_stream_socket connectto;

Denials explained:
allow system proc:file write is from this denial:
<5>[ =A0 24.782653] type=3D1400 audit(1344517139.82= 0:6): avc: =A0denied =A0{
write } for =A0pid=3D404 comm=3D"LocationManager" name=3D"mc= spi1_cs3_ctrl"
dev=3Dproc ino=3D4026532651 scontext=3Du:r:system:s0
tcontext=3Du:object_r:proc:s0 tclass=3Dfile
This should be fixed on tuna/maguro device...

allow system rild:unix_stream_socket connectto is from this denial
<5>[ =A0 25.809204] type=3D1400 audit(1344517140.84= 3:7): avc: =A0denied =A0{
connectto } for =A0pid=3D460 comm=3D"GpsLocationProv"
path=3D004D756C7469636C69656E74 scontext=3Du:r:system:s0
tcontext=3Du:r:rild:s0 tclass=3Dunix_stream_socket
This should be fixed..

Media server denies
<5>[ =A0 26.586181] type=3D1400 audit(1344517141.62= 5:8): avc: =A0denied =A0{
read } for =A0pid=3D175 comm=3D42696E646572205468726561642023
name=3D"rproc_user" dev=3Dtmpfs ino=3D2868 scontext=3Du:r:mediase= rver:s0
tcontext=3Du:object_r:device:s0 tclass=3Dchr_file
<5>[ =A0 26.586364] type=3D1400 audit(1344517141.625:9): avc: =A0deni= ed =A0{
open } for =A0pid=3D175 comm=3D42696E646572205468726561642023
name=3D"rproc_user" dev=3Dtmpfs ino=3D2868 scontext=3Du:r:mediase= rver:s0
tcontext=3Du:object_r:device:s0 tclass=3Dchr_file
<5>[ =A0 26.602386] type=3D1400 audit(1344517141.640:10): avc: =A0den= ied =A0{
write } for =A0pid=3D175 comm=3D42696E646572205468726561642023
name=3D"rpmsg-omx1" dev=3Dtmpfs ino=3D3045 scontext=3Du:r:mediase= rver:s0
tcontext=3Du:object_r:device:s0 tclass=3Dchr_file
<5>[ =A0 26.602783] type=3D1400 audit(1344517141.640:11): avc: =A0den= ied =A0{
ioctl } for =A0pid=3D175 comm=3D42696E646572205468726561642023
path=3D"/dev/rpmsg-omx1" dev=3Dtmpfs ino=3D3045 scontext=3Du:r:me= diaserver:s0
tcontext=3Du:object_r:device:s0 tclass=3Dchr_file

The problem here comes from labeling:
/dev/rpmsg-omx1 is not labeled properly but should be, it was fixed in
external/sepolicy commit ee5f4005

Make sure your seandroid is up to date, I have a feeling you need to
update your local_manifest.xml file and do a new repo sync..

I am also forwarding this to the public mailing list, so others can
learn from this and answer problems before they arise. I hope this
helps, and for now on direct these types of questions back to the
mailing list to help others out.

Bill

On Thu, Aug 9, 2012 at 6:15 AM, Alexandra Test
<testalexandrainstitute@gmail.com> wrote:
> Hi William,
> I tried again and it did not work again.
> The reason why I installed from a gapp*.zip files is because it has al= l the
> dependencies verified; I tried before to install from the apk, extract= ed
> from the phone bu it did not work.
> I did the restorecon simply with this command:
> adb shell
> su
> mount -o rw,remount /dev/block/platform/omap/omap /system
> restorecon -R /system
> It does not work! how is it possible? the phone is still in permissive= mode,
> I cannot change in enforcing mode
> The list of my denials:
> <5>[ =A0 =A05.459838] type=3D1400 audit(1344517120.492:3): avc: = =A0denied =A0{ read
> write } for =A0pid=3D129 comm=3D"sh" name=3D"ttyFIQ0&qu= ot; dev=3Dtmpfs ino=3D2914
> scontext=3Du:r:shell:s0 tcontext=3Du:object_r:device:s0 tclass=3Dchr_f= ile
> <5>[ =A0 =A05.537353] type=3D1400 audit(1344517120.570:4): avc: = =A0denied =A0{ getattr
> } for =A0pid=3D129 comm=3D"sh" path=3D"/dev/ttyFIQ0&quo= t; dev=3Dtmpfs ino=3D2914
> scontext=3Du:r:shell:s0 tcontext=3Du:object_r:device:s0 tclass=3Dchr_f= ile
> <5>[ =A0 =A05.538055] type=3D1400 audit(1344517120.570:5): avc: = =A0denied =A0{ ioctl }
> for =A0pid=3D129 comm=3D"sh" path=3D"/dev/ttyFIQ0"= dev=3Dtmpfs ino=3D2914
> scontext=3Du:r:shell:s0 tcontext=3Du:object_r:device:s0 tclass=3Dchr_f= ile
> <5>[ =A0 24.782653] type=3D1400 audit(1344517139.820:6): avc: = =A0denied =A0{ write }
> for =A0pid=3D404 comm=3D"LocationManager" name=3D"mcspi= 1_cs3_ctrl" dev=3Dproc
> ino=3D4026532651 scontext=3Du:r:system:s0 tcontext=3Du:object_r:proc:s= 0
> tclass=3Dfile
> <5>[ =A0 25.809204] type=3D1400 audit(1344517140.843:7): avc: = =A0denied =A0{
> connectto } for =A0pid=3D460 comm=3D"GpsLocationProv"
> path=3D004D756C7469636C69656E74 scontext=3Du:r:system:s0 tcontext=3Du:= r:rild:s0
> tclass=3Dunix_stream_socket
> <5>[ =A0 26.586181] type=3D1400 audit(1344517141.625:8): avc: = =A0denied =A0{ read }
> for =A0pid=3D175 comm=3D42696E646572205468726561642023 name=3D"rp= roc_user" dev=3Dtmpfs
> ino=3D2868 scontext=3Du:r:mediaserver:s0 tcontext=3Du:object_r:device:= s0
> tclass=3Dchr_file
> <5>[ =A0 26.586364] type=3D1400 audit(1344517141.625:9): avc: = =A0denied =A0{ open }
> for =A0pid=3D175 comm=3D42696E646572205468726561642023 name=3D"rp= roc_user" dev=3Dtmpfs
> ino=3D2868 scontext=3Du:r:mediaserver:s0 tcontext=3Du:object_r:device:= s0
> tclass=3Dchr_file
> <5>[ =A0 26.602386] type=3D1400 audit(1344517141.640:10): avc: = =A0denied =A0{ write
> } for =A0pid=3D175 comm=3D42696E646572205468726561642023 name=3D"= rpmsg-omx1"
> dev=3Dtmpfs ino=3D3045 scontext=3Du:r:mediaserver:s0 tcontext=3Du:obje= ct_r:device:s0
> tclass=3Dchr_file
> <5>[ =A0 26.602783] type=3D1400 audit(1344517141.640:11): avc: = =A0denied =A0{ ioctl
> } for =A0pid=3D175 comm=3D42696E646572205468726561642023 path=3D"= /dev/rpmsg-omx1"
> dev=3Dtmpfs ino=3D3045 scontext=3Du:r:mediaserver:s0 tcontext=3Du:obje= ct_r:device:s0
> tclass=3Dchr_file
> <5>[ =A0 26.775054] type=3D1400 audit(1344517141.812:12): avc: = =A0denied =A0{ read }
> for =A0pid=3D175 comm=3D42696E646572205468726561642023
> name=3D"R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044" de= v=3Dmmcblk0p12
> ino=3D138460 scontext=3Du:r:mediaserver:s0
> tcontext=3Du:object_r:system_data_file:s0 tclass=3Ddir
> <5>[ =A0 26.775268] type=3D1400 audit(1344517141.812:13): avc: = =A0denied =A0{ open }
> for =A0pid=3D175 comm=3D42696E646572205468726561642023
> name=3D"R5_MVEN003_LD2_ND0_IR0_SH0_FL1_SVEN003_DCCID1044" de= v=3Dmmcblk0p12
> ino=3D138460 scontext=3Du:r:mediaserver:s0
> tcontext=3Du:object_r:system_data_file:s0 tclass=3Ddir
> <5>[ =A0 26.775695] type=3D1400 audit(1344517141.812:14): avc: = =A0denied =A0{ open }
> for =A0pid=3D175 comm=3D42696E646572205468726561642023 name=3D"ca= lib.bin"
> dev=3Dmmcblk0p12 ino=3D138461 scontext=3Du:r:mediaserver:s0
> tcontext=3Du:object_r:system_data_file:s0 tclass=3Dfile
>
>
> Thanks for your help
>
>
>
> On Tue, Aug 7, 2012 at 7:06 PM, William Roberts <bill.c.roberts@gmail.com>
> wrote:
>>
>> 1. The seapp_contexts, file_contexts, sepolicy.24 and
>> property_contexts are in the ramdisk for the rootfs, which is in >> boot.img. When a device is running, you will find these files in &= #39;/'.
>> (ls / will =A0 =A0show them)
>>
>> 2. You can push any of those files, or all to /system/data and the= n
>> setprop selinux.reload_policy 1. See the info here:
>> http://selinuxproject.org/page/SEAndroid#SE_Android_= Policy
>>
>> 3. You can extract apk's in many ways, this blog has a few: >>
>> http= ://mauweb.net/3.0/en/technology/17-android/100-icon-androidextracting-apk-f= iles-from-your-android.html
>>
>> Bill
>>
>> On Tue, Aug 7, 2012 at 1:01 AM, Alexandra Test
>> <testalexan= drainstitute@gmail.com> wrote:
>> > I installed the gapp (downloaded here
>> > https://faramir.eriador.org/r/gapps-ics-201203= 17-signed.zip) as an
>> > indipendent package and then I used restorecon.
>> >
>> > About the policy, I have two files in external/sepolicy/seapp= _context
>> > and
>> > property_context
>> > Where can I find these files in the phone memory? do I need e= very time
>> > to
>> > modify the source files and then provide the system building?=
>> > If I want to extract the gapp from the original build how can= I do that?
>> >
>> > Thanks for your help
>> >
>> >
>> >
>> > On Mon, Aug 6, 2012 at 7:44 PM, William Roberts
>> > <bill.c.robert= s@gmail.com>
>> > wrote:
>> >>
>> >> It should be working, as we wrote alot of the policy for = that device
>> >> and didn't experience any denials. If your installing= apps from
>> >> recovery (Like gapps), make sure you use the recovery.img= that gets
>> >> built and not clock-work mod.
>> >>
>> >> On Mon, Aug 6, 2012 at 3:35 AM, Alexandra Test
>> >> <t= estalexandrainstitute@gmail.com> wrote:
>> >> > Hi Williams,
>> >> > sorry for the late reply, I was on vacation.
>> >> > I am using a Samsung Galaxy Nexus with the tuna mast= er branch.
>> >> >
>> >> > Thanks for your help!
>> >> > Anna
>> >> >
>> >> >
>> >> > On Wed, Jul 18, 2012 at 7:31 PM, William Roberts
>> >> > <bill= .c.roberts@gmail.com>
>> >> > wrote:
>> >> >>
>> >> >> You have a lot of denials. What device and branc= h of code are you
>> >> >> using?
>> >> >>
>> >> >> I might be able to help you get these fixed.
>> >> >>
>> >> >> On Wed, Jul 18, 2012 at 12:24 AM, Alexandra Test=
>> >> >> <testalexandrainstitute@gmail.com> wrote:
>> >> >>>
>> >> >>> Yes, in the attached files you can see the d= enials.
>> >> >>>
>> >> >>> In permissive mode I can install everything.=
>> >> >>>
>> >> >>> Any ideas?
>> >> >>>
>> >> >>> Il giorno 16/lug/2012 18:13, "William R= oberts"
>> >> >>> <bill.c.roberts@gmail.com>
>> >> >>> ha scritto:
>> >> >>>
>> >> >>>> do have any denials? does installation w= ork in permissive mode?
>> >> >>>>
>> >> >>>> On Jul 16, 2012 5:44 AM, "Alexandra= Test"
>> >> >>>> <testalexandrainstitute@gmail.com> wrote:
>> >> >>>>>
>> >> >>>>> My phone is now is in enforcing mode= but I can not install
>> >> >>>>> anything.
>> >> >>>>> I tried from google play but after t= he download, when it tries to
>> >> >>>>> install says:
>> >> >>>>> "the download url is not valid&= quot;
>> >> >>>>>
>> >> >>>>> Do I have to change the policies? I = saw the app.te files in
>> >> >>>>> external/sepolicy in the build direc= tory, but where can I fine
>> >> >>>>> the
>> >> >>>>> same file
>> >> >>>>> on the phone?
>> >> >>>>> Do I need to rebuild and reflash eve= ry time I change the
>> >> >>>>> policies?
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> On Mon, Jul 16, 2012 at 12:47 PM, Al= exandra Test
>> >> >>>>> <testalexandrainstitute@gmail.com> wrote:
>> >> >>>>>>
>> >> >>>>>> it works, thank you! :-)
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>> On Sun, Jul 15, 2012 at 6:25 AM,= Robert Craig
>> >> >>>>>> <robertpcraig@gmail.com>
>> >> >>>>>> wrote:
>> >> >>>>>>>
>> >> >>>>>>> On Fri, Jul 13, 2012 at 8:50= AM, Alexandra Test
>> >> >>>>>>> <testalexandrainstitute@gmail.com> wrote:=
>> >> >>>>>>>
>> >> >>>>>>>>
>> >> >>>>>>>> I tried to investigate w= ithout success, so I decided to try to
>> >> >>>>>>>> use
>> >> >>>>>>>> the restorecon. is it ne= eded to be root?
>> >> >>>>>>>> on which files do I need= to use restorecon? how?
>> >> >>>>>>>>
>> >> >>>>>>>
>> >> >>>>>>> You'll not only have to = be root, but you'll also need to
>> >> >>>>>>> remount
>> >> >>>>>>> your
>> >> >>>>>>> system partition (android mo= unts it read only).
>> >> >>>>>>> I would try:
>> >> >>>>>>> adb shell
>> >> >>>>>>> su
>> >> >>>>>>> mount -o rw,remount </dev= /block path for your device> /system
>> >> >>>>>>> restorecon -R /system
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Respectfully,
>> >> >>
>> >> >> William C Roberts
>> >> >>
>> >> >>
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Respectfully,
>> >>
>> >> William C Roberts
>> >
>> >
>>
>>
>>
>> --
>> Respectfully,
>>
>> William C Roberts
>
>



--
Respectfully,

William C Roberts

--e0cb4e43d0af29d9b004c7219b99-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.