thanks sooraj. I have added androidboot."selinux=permissive" in targets Boardconfig makefile and when i parsed avc denials log messages using audit2allow tool it gives unlabeled permission still i have added parsed permissions into device/AM438/sepolicy/*.te files. but unfortunately some unlabeled permissions are neverallow from externel/sepolicy/kernel.te and demen.te files. so i thinks modify generic *.te files from externel/sepolicy/ it is not proper a way please correct me if i am wrong.
#device/AM438/sepolicy/init.te #============= kernel ============== allow kernel unlabeled:file { relabelfrom execute read open getattr execute_no_trans }; // but actually execute_no_trans permission is neverallow from externel/sepolicy/kernel.te allow kernel unlabeled:lnk_file { read execute }; #device/AM438/sepolicy/kernel.te #============= init ============== allow init unlabeled:dir mounton; allow init unlabeled:file execute; allow init storage_file:dir mounton; allow init unlabeled:file execute_no_trans; allow init logd_socket:sock_file write; allow init self:capability sys_nice; allow init self:netlink_audit_socket create; allow init self:netlink_kobject_uevent_socket create; allow init self:rawip_socket create; allow init storage_file:dir mounton; allow init unlabeled:file execute_no_trans; After doing this whole process i got following logs. i don't understand why it gives me unlabeled permission when i parsed avc denial logs. [ 4.741588] init: init started! [ 4.779383] SELinux: Android master kernel running Android M policy in compatibility mode. [ 4.797773] SELinux: Permission module_load in class system not defined in policy. [ 4.806367] SELinux: Class netlink_iscsi_socket not defined in policy. [ 4.813431] SELinux: Class netlink_fib_lookup_socket not defined in policy. [ 4.820868] SELinux: Class netlink_connector_socket not defined in policy. [ 4.828241] SELinux: Class netlink_netfilter_socket not defined in policy. [ 4.835614] SELinux: Class netlink_generic_socket not defined in policy. [ 4.842786] SELinux: Class netlink_scsitransport_socket not defined in policy. [ 4.850493] SELinux: Class netlink_rdma_socket not defined in policy. [ 4.857390] SELinux: Class netlink_crypto_socket not defined in policy. [ 4.864786] SELinux: Permission audit_read in class capability2 not defined in policy. [ 4.873314] SELinux: the above unknown classes and permissions will be denied [ 5.008416] audit: type=1403 audit(5.000:2): policy loaded auid=4294967295 ses=4294967295 [ 5.018893] audit: type=1404 audit(5.010:3): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 [ 5.053062] init: (Initializing SELinux enforcing took 0.31s.) [ 5.083123] init: init second stage started! [ 5.155902] init: waitpid failed: No child processes [ 5.167600] init: (Loading properties from /default.prop took 0.01s.) [ 5.190003] init: (Parsing /init.environ.rc took 0.00s.) [ 5.201329] init: (Parsing /init.usb.rc took 0.01s.) [ 5.207105] init: could not import file '/init.unknown.rc' from '/init.rc' [ 5.219968] init: (Parsing /init.zygote32.rc took 0.01s.) [ 5.231446] init: (Parsing /init.trace.rc took 0.01s.) [ 5.237207] init: (Parsing /init.rc took 0.06s.) [ 8.208686] init: Starting service 'zygote'... [ 8.408365] healthd: No charger supplies found [ 8.415518] healthd: No battery devices found [ 10.667422] init: Service 'zygote' (pid 145) killed by signal 6 [ 10.674246] init: Service 'zygote' (pid 145) killing any children in process group [ 10.683851] init: write_file: Unable to open '/sys/android_power/request_state': No such file or directory [ 10.696174] init: write_file: Unable to write to '/sys/power/state': Invalid argument [ 10.706458] init: Warning! Service media needs a SELinux domain defined; please fix! [ 10.715459] init: Starting service 'media'... [ 10.724635] init: Warning! Service netd needs a SELinux domain defined; please fix! [ 10.735428] init: Starting service 'netd'... [ 12.752365] init: Warning! Service surfaceflinger needs a SELinux domain defined; please fix! [ 12.761482] init: Starting service 'surfaceflinger'... [ 13.092734] init: Service 'surfaceflinger' (pid 177) killed by signal 6 [ 13.099774] init: Service 'surfaceflinger' (pid 177) killing any children in process group [ 13.126197] init: Warning! Service zygote needs a SELinux domain defined; please fix! [ 13.152597] init: Starting service 'zygote'... shell@sitara:/ $ shell@sitara:/ $ shell@sitara:/ $ su su: setgid failed: Operation not permitted 1|shell@sitara:/ $ 1|shell@sitara:/ $ 1|shell@sitara:/ $ 1|shell@sitara:/ $ 1|shell@sitara:/ $ su su: setgid failed: Operation not permitted 1|shell@sitara:/ $ [ 16.240644] init: Service 'zygote' (pid 185) killed by signal 6 [ 16.252381] init: Service 'zygote' (pid 185) killing any children in process group [ 16.260774] init: write_file: Unable to open '/sys/android_power/request_state': No such file or directory [ 16.304716] init: write_file: Unable to write to '/sys/power/state': Invalid argument [ 16.316857] init: Service 'media' is being killed... [ 16.340089] init: Service 'netd' is being killed... [ 16.356396] init: Service 'media' (pid 147) killed by signal 9 Thanks, Mantesh -- -- unsubscribe: android-porting+unsubscr...@googlegroups.com website: http://groups.google.com/group/android-porting --- You received this message because you are subscribed to the Google Groups "android-porting" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-porting+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.