On 04/09/2013 12:04 PM, Michal Mašek wrote:
Hi,I compiled SEAndroid 4.2.2 for Nexus 4. Problem is that there are some unlabeled files: /persist/ /persist/* /cache/lost+found/ In the audit.log there are (among others) three denials related to unlabeled files: type=1400 msg=audit(1365519109.100:72): avc: denied { getattr } for pid=1022 comm="Thread-47" path="/cache/lost+found" dev="mmcblk0p22" ino=11 scontext=u:r:media_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir type=1400 msg=audit(1365519114.456:90): avc: denied { read } for pid=1315 comm="bdAddrLoader" name=".bdaddr" dev="mmcblk0p20" ino=16 scontext=u:r:shell:s0 tcontext=u:object_r:unlabeled:s0 tclass=file type=1400 msg=audit(1365519114.456:91): avc: denied { open } for pid=1315 comm="bdAddrLoader" name=".bdaddr" dev="mmcblk0p20" ino=16 scontext=u:r:shell:s0 tcontext=u:object_r:unlabeled:s0 tclass=file I installed the system with fastboot -w flashall. Any idea what I am doing wrong?
You didn't do anything wrong; we just haven't written device-specific policy for the Nexus 4 yet because we don't have one. Joshua Brindle did post a patch back on 12/17/2012 that had some device-specific additions but we didn't merge it as we couldn't test it.
I've left the lost+found directories as unlabeled because there isn't really a reason to label them per se, but we could define a type for them and put a restorecon into the init.rc to put them into that type if we want to get rid of those (harmless) getattr denials. Then we can just dontaudit them without hiding any other unlabeled access.
I'm not sure what /persist stores, but it might be similar to the /factory or /efs partition on other devices? You could add entries to the device/lge/mako/sepolicy/file_contexts file (doesn't exist in our tree, but Joshua's patch created one) to label /persist with efs_file and the bluetooth-related files with bluetooth_efs_file.
-- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
