Eric Nelson
2018-02-08 17:30:23 UTC
I am porting Android 7.1 to our IMX53 product. I ran into a problem with
SELinux that doesn't seem to make sense. The boot log looks like this:
.
.
.
[ 3.506650] Freeing unused kernel memory: 1024K
[ 3.528875] init: init first stage started!
[ 3.553382] SELinux: Permission validate_trans in class security not
defined in policy.
[ 3.562534] SELinux: Class cap_userns not defined in policy.
[ 3.568418] SELinux: Class cap2_userns not defined in policy.
[ 3.574269] SELinux: Class bpf not defined in policy.[ 3.579623] SELinux:
the above unknown classes and permissions will be denied
[ 3.701006] audit: type=1403 audit(3.689:2): policy loaded auid=4294967295
ses=4294967295
[ 3.712563] audit: type=1404 audit(3.699:3): enforcing=1 old_enforcing=0
auid=4294967295 ses=4294967295
[ 3.745760] init: (Initializing SELinux enforcing took 0.21s.)
[ 3.766315] init: init second stage started!
[ 3.792985] init: Running restorecon...
[ 3.880962] init: waitpid failed: No child processes
[ 3.887834] init: (Loading properties from /default.prop took 0.00s.)
[ 3.903302] init: (Parsing /init.environ.rc took 0.00s.)
[ 3.910929] init: (Parsing /init.usb.rc took 0.00s.)
[ 3.918296] init: (Parsing init.rti.usb.rc took 0.00s.)
[ 3.923605] init: (Parsing /init.rti.rc took 0.01s.)
[ 3.931310] init: (Parsing /init.usb.configfs.rc took 0.00s.)
[ 3.937856] init: (Parsing /init.zygote32.rc took 0.00s.)
[ 3.962443] ueventd: ueventd started!
[ 4.942899] ueventd: Coldboot took 0.97s.
[ 5.078709] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data mode.
Opts: (null)
[ 5.139472] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data mode.
Opts: errors=panic
[ 5.182104] EXT4-fs (mmcblk0p4): mounted filesystem with ordered data mode.
Opts: errors=panic
[ 5.493959] audit: type=1400 audit(5.479:4): avc: denied { execute } for
pid=110 comm="init" name="vdc" dev="mmcblk0p2" ino=654340
scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
permissive=0
[ 5.593161] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 5.607788] audit: type=1400 audit(5.599:5): avc: denied { execute } for
pid=112 comm="init" name="sh" dev="mmcblk0p2" ino=654293
scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
permissive=0
[ 6.663334] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 7.670798] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 8.678255] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 9.685626] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
.
.
.
As you can see "vdc", and "sh" seem to be missing a label for SELinux.
However, I clearly see the label being set in android source under
/system/sepolicy/file_contexts:
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/vdc u:object_r:vdc_exec:s0
Further, if I try to provide my own label for these same files in
/device/rti/kx10/sepolicy/file_contexts, I get a compile errors:
out/target/product/kx10/obj/ETC/file_contexts.bin_intermediates/file_contexts.concat.tmp:
Multiple same specifications for /system/bin/sh.
out/target/product/kx10/obj/ETC/file_contexts.bin_intermediates/file_contexts.concat.tmp:
Multiple same specifications for /system/bin/vdc.
So if sh & vdc have a label defined, why does the SELinux audit indicate
these files are "unlabeled"???
Because of this error I cannot get a shell started to allow me to use other
debug tools (ex. logcat). Does anyone have any ideas, thoughts, or
suggestions that might help me proceed??
Thanks in advance,
SELinux that doesn't seem to make sense. The boot log looks like this:
.
.
.
[ 3.506650] Freeing unused kernel memory: 1024K
[ 3.528875] init: init first stage started!
[ 3.553382] SELinux: Permission validate_trans in class security not
defined in policy.
[ 3.562534] SELinux: Class cap_userns not defined in policy.
[ 3.568418] SELinux: Class cap2_userns not defined in policy.
[ 3.574269] SELinux: Class bpf not defined in policy.[ 3.579623] SELinux:
the above unknown classes and permissions will be denied
[ 3.701006] audit: type=1403 audit(3.689:2): policy loaded auid=4294967295
ses=4294967295
[ 3.712563] audit: type=1404 audit(3.699:3): enforcing=1 old_enforcing=0
auid=4294967295 ses=4294967295
[ 3.745760] init: (Initializing SELinux enforcing took 0.21s.)
[ 3.766315] init: init second stage started!
[ 3.792985] init: Running restorecon...
[ 3.880962] init: waitpid failed: No child processes
[ 3.887834] init: (Loading properties from /default.prop took 0.00s.)
[ 3.903302] init: (Parsing /init.environ.rc took 0.00s.)
[ 3.910929] init: (Parsing /init.usb.rc took 0.00s.)
[ 3.918296] init: (Parsing init.rti.usb.rc took 0.00s.)
[ 3.923605] init: (Parsing /init.rti.rc took 0.01s.)
[ 3.931310] init: (Parsing /init.usb.configfs.rc took 0.00s.)
[ 3.937856] init: (Parsing /init.zygote32.rc took 0.00s.)
[ 3.962443] ueventd: ueventd started!
[ 4.942899] ueventd: Coldboot took 0.97s.
[ 5.078709] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data mode.
Opts: (null)
[ 5.139472] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data mode.
Opts: errors=panic
[ 5.182104] EXT4-fs (mmcblk0p4): mounted filesystem with ordered data mode.
Opts: errors=panic
[ 5.493959] audit: type=1400 audit(5.479:4): avc: denied { execute } for
pid=110 comm="init" name="vdc" dev="mmcblk0p2" ino=654340
scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
permissive=0
[ 5.593161] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 5.607788] audit: type=1400 audit(5.599:5): avc: denied { execute } for
pid=112 comm="init" name="sh" dev="mmcblk0p2" ino=654293
scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
permissive=0
[ 6.663334] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 7.670798] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 8.678255] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 9.685626] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
.
.
.
As you can see "vdc", and "sh" seem to be missing a label for SELinux.
However, I clearly see the label being set in android source under
/system/sepolicy/file_contexts:
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/vdc u:object_r:vdc_exec:s0
Further, if I try to provide my own label for these same files in
/device/rti/kx10/sepolicy/file_contexts, I get a compile errors:
out/target/product/kx10/obj/ETC/file_contexts.bin_intermediates/file_contexts.concat.tmp:
Multiple same specifications for /system/bin/sh.
out/target/product/kx10/obj/ETC/file_contexts.bin_intermediates/file_contexts.concat.tmp:
Multiple same specifications for /system/bin/vdc.
So if sh & vdc have a label defined, why does the SELinux audit indicate
these files are "unlabeled"???
Because of this error I cannot get a shell started to allow me to use other
debug tools (ex. logcat). Does anyone have any ideas, thoughts, or
suggestions that might help me proceed??
Thanks in advance,
--
--
unsubscribe: android-porting+***@googlegroups.com
website: http://groups.google.com/group/android-porting
---
You received this message because you are subscribed to the Google Groups "android-porting" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-porting+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
unsubscribe: android-porting+***@googlegroups.com
website: http://groups.google.com/group/android-porting
---
You received this message because you are subscribed to the Google Groups "android-porting" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-porting+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.