[android-porting] Selinux 'syntax' error in policy.

Discussion:

m***@gmail.com

2018-07-18 18:34:40 UTC

Hi,

I am trying to port AOSP Marshmallow for Beaglebone black. I get a lot of
AVC denied errors. When I tried to write a allow policy I get syntax error
while the build checks the policy.

Following is the avc denied error:

##avc: denied { open } for pid=630 comm="zygote"
path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=62
scontext=u:r:zygote:s0 tcontext=u:object_r:debugfs_tracing:s0 tclass=file
permissive=1

Following is my rule:
allow zygote debugfs_tracing:file {write}

I am not sure what is wrong. Can somebody please help?

Thanks.

--
--
unsubscribe: android-porting+***@googlegroups.com
website: http://groups.google.com/group/android-porting

---
You received this message because you are subscribed to the Google Groups "android-porting" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-porting+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Satish Patel

2018-07-19 07:53:45 UTC

Permalink

Post by m***@gmail.com
Hi,
I am trying to port AOSP Marshmallow for Beaglebone black. I get a lot of
AVC denied errors. When I tried to write a allow policy I get syntax error
while the build checks the policy.
##avc: denied { open } for pid=630 comm="zygote" path="/sys/kernel/debug/tracing/trace_marker"
dev="tracefs" ino=62 scontext=u:r:zygote:s0 tcontext=u:object_r:debugfs_tracing:s0
tclass=file permissive=1
âTry audit2allow. It frame the rule as per the denial message. (not all

but in most of the cases it does work good)
https://source.android.com/security/selinux/validate

For message:

<5> type=1400 audit: avc: denied { read write } for pid=177
comm="rmt_storage" name="mem" dev="tmpfs" ino=6004 scontext=u:r:rmt:s0
tcontext=u:object_r:kmem_device:s0 tclass=chr_file

adb pull /sys/fs/selinux/policyadb logcat -b all -d | audit2allow -p policy

output

#============= shell ==============
allow shell kernel:security setenforce;
#============= rmt ==============
allow rmt kmem_device:chr_file { read write };

â

Post by m***@gmail.com
allow zygote debugfs_tracing:file {write}
I am not sure what is wrong. Can somebody please help?
Thanks.
--
--
website: http://groups.google.com/group/android-porting
---
You received this message because you are subscribed to the Google Groups
"android-porting" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.

--
Regards,
satish patel

Gautam Bhat

2018-07-26 18:08:00 UTC

Permalink

Hi Satish,

Thanks for the reply. I was aware of audit2allow but never bothered to
use it. I started using it and I found out I simply missed the
semicolon at the end of the rule.

Thanks again.
-Gautam.

Post by m***@gmail.com
Hi,
I am trying to port AOSP Marshmallow for Beaglebone black. I get a lot of
AVC denied errors. When I tried to write a allow policy I get syntax error
while the build checks the policy.
##avc: denied { open } for pid=630 comm="zygote"
path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=62
scontext=u:r:zygote:s0 tcontext=u:object_r:debugfs_tracing:s0 tclass=file
permissive=1

Try audit2allow. It frame the rule as per the denial message. (not all but
in most of the cases it does work good)
https://source.android.com/security/selinux/validate
<5> type=1400 audit: avc: denied { read write } for pid=177
comm="rmt_storage" name="mem" dev="tmpfs" ino=6004 scontext=u:r:rmt:s0
tcontext=u:object_r:kmem_device:s0 tclass=chr_file
adb pull /sys/fs/selinux/policy
adb logcat -b all -d | audit2allow -p policy
output
#============= shell ==============
allow shell kernel:security setenforce;
#============= rmt ==============
allow rmt kmem_device:chr_file { read write };

--
Regards,
satish patel