Ok cool, that's good. I am out of ideas for the time being, as I don't have the device in hand.
For a nasty hack add a restorecon -R /system somewhere in a post_fs section of the init.rc, (system/core/rootdir) On Sat, Jun 8, 2013 at 5:35 PM, Sava Mikalački <mikalac...@gmail.com> wrote: > This is from my last build: http://pastebin.com/R8GDW3jT > > You can see that a lot of stuff from system is being printed out as > labeled, and after that the system.img is created. Now, im trying to fix > the issues when I introduce that patch, but I have build issues with some > files not being found, im gonna try and use seandroid repos for this. I > also checked, CM does have HAVE_SELINUX switches in their > system/extras/ext4utils. > > > 2013/6/8 William Roberts <bill.c.robe...@gmail.com> > >> Looks like make_ext4 isn't properly labeling system.img .... >> >> Perhaps they don't have all the support in system/extras as well... can >> you verify that that you see "Labeling ...." output during your build? >> Try applying that patch I sent before.. >> >> Or search system/extras/ext4utils for HAVE_SELINUX and let us know if >> that pops up in there. Just want to make sure the ext4 labeling support is >> indeed in the tool. >> >> Bill >> >> >> On Sat, Jun 8, 2013 at 4:57 PM, Sava Mikalački <mikalac...@gmail.com>wrote: >> >>> I tried several types of flashing: via fastboot and via update.zip. When >>> using update.zip, i tried formatting all of the partitions and the flashing >>> the zip file. >>> >>> As for logs, here they are: >>> Here is the 'ls -Z /' output: http://pastebin.com/J2QJpVSk >>> Here is the dmesg output on boot: http://pastebin.com/kiuMy7YC >>> >>> Im gonna try out the -v option for mkuserimg.sh now. >>> >>> Now, im using only libselinux and sepolicy from bitbucket seandroid, all >>> other stuff is from CM repos. Could this be a problem? I mean, me not using >>> bitbucket seandroid repos for all other parts of source tree, except for >>> libselinux and sepolicy? >>> >>> Thanks for your feedback and help, really appreciate it. >>> >>> >>> 2013/6/8 Robert Craig <robertpcr...@gmail.com> >>> >>>> Could you give us your dmesg output on boot and run 'ls -Z /'. That >>>> would certainly give us a bit more info. >>>> >>>> >>>> On Sat, Jun 8, 2013 at 3:46 PM, William Roberts < >>>> bill.c.robe...@gmail.com> wrote: >>>> >>>>> Oh one last thing, how are you flashing, via update.zip? >>>>> >>>>> >>>>> On Sat, Jun 8, 2013 at 3:46 PM, William Roberts < >>>>> bill.c.robe...@gmail.com> wrote: >>>>> >>>>>> Well your dissection of those denials is correct, you have >>>>>> an unlabeled file that needs to be labeled. Is that file in the >>>>>> system.img >>>>>> during build? You can modify the make_ext4 command and pass it -v during >>>>>> the build to get all the labels of the system image as well, sometimes >>>>>> useful when debugging. >>>>>> >>>>>> https://android-review.googlesource.com/#/c/49992 >>>>>> >>>>>> You can hack in the -v in: >>>>>> system/extras/ext4_utils/mkuserimg.sh >>>>>> >>>>>> diff --git a/ext4_utils/mkuserimg.sh b/ext4_utils/mkuserimg.sh >>>>>> index 1136a9e..ec516b2 100755 >>>>>> --- a/ext4_utils/mkuserimg.sh >>>>>> +++ b/ext4_utils/mkuserimg.sh >>>>>> @@ -52,7 +52,7 @@ if [ -n "$FC" ]; then >>>>>> FCOPT="-S $FC" >>>>>> fi >>>>>> >>>>>> -MAKE_EXT4FS_CMD="make_ext4fs $ENABLE_SPARSE_IMAGE $FCOPT -l $SIZE -a >>>>>> $MOUNT_POINT $OUTPUT_FILE $SRC_DIR" >>>>>> +MAKE_EXT4FS_CMD="make_ext4fs $ENABLE_SPARSE_IMAGE $FCOPT -v -l $SIZE >>>>>> -a $MOUNT_POINT $OUTPUT_FILE $SRC_DIR" >>>>>> echo $MAKE_EXT4FS_CMD >>>>>> $MAKE_EXT4FS_CMD >>>>>> if [ $? -ne 0 ]; then >>>>>> >>>>>> >>>>>> Onto the untrsued_app, that sounds right. Any apk that does not have >>>>>> a known signing key is treated as untrusted. >>>>>> >>>>>> See the readme in external/sepoliocy for config options, if you have >>>>>> questions, hit us back up. >>>>>> >>>>>> Bill >>>>>> >>>>>> >>>>>> On Sat, Jun 8, 2013 at 1:40 PM, Sava Mikalački >>>>>> <mikalac...@gmail.com>wrote: >>>>>> >>>>>>> Hello! >>>>>>> >>>>>>> I am relatively new to Android building and especially SEAndroid, so >>>>>>> sorry if im missing something, I tried to provide as much usefull info >>>>>>> as I >>>>>>> can. What I am trying to do is to build SEAndroid with CyanogenMod 10 >>>>>>> for >>>>>>> my Desire Z. After downloading the sources, i replaced >>>>>>> external/libselinux >>>>>>> and external/sepolicy with the ones from seandroid bitbucket, >>>>>>> revision=seandroid. Also, im using HTC kernel 3.0 for msm7x30 with >>>>>>> SELinux >>>>>>> enabled. I managed to compile the system, it boots properly and >>>>>>> SEAndroid >>>>>>> is running in permissive mode. But, as soon as I setenforce 1 my device >>>>>>> blocks. I get tons of AVC denials, but I guess its ok since this is a >>>>>>> custom build for a device thats is not supported by CM nor SEAndroid. >>>>>>> One >>>>>>> thing I dont understand is this: when my system builds, I get a lot of >>>>>>> Labeling outputs, and one of them looks like this: >>>>>>> Labeling /system/lib/libandroid_servers.so as >>>>>>> u:object_r:system_file:s0 >>>>>>> >>>>>>> Now, when I boot the device, I exported /proc/kmsg and I get this >>>>>>> avc denied: >>>>>>> <5>[ 32.514526] type=1400 audit(1370711031.613:7): avc: denied { >>>>>>> search } for pid=1827 comm="system_server" name="/" dev=mmcblk0p25 >>>>>>> ino=2 >>>>>>> scontext=u:r:system:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir >>>>>>> <5>[ 32.515380] type=1400 audit(1370711031.613:8): avc: denied { >>>>>>> getattr } for pid=1827 comm="system_server" >>>>>>> path="/system/lib/libandroid_servers.so" dev=mmcblk0p25 ino=113 >>>>>>> scontext=u:r:system:s0 tcontext=u:object_r:unlabeled:s0 tclass=file >>>>>>> <5>[ 32.515747] type=1400 audit(1370711031.613:9): avc: denied { >>>>>>> read } for pid=1827 comm="system_server" name="libandroid_servers.so" >>>>>>> dev=mmcblk0p25 ino=113 scontext=u:r:system:s0 >>>>>>> tcontext=u:object_r:unlabeled:s0 tclass=file >>>>>>> <5>[ 32.516082] type=1400 audit(1370711031.613:10): avc: denied >>>>>>> { open } for pid=1827 comm="system_server" >>>>>>> name="libandroid_servers.so" >>>>>>> dev=mmcblk0p25 ino=113 scontext=u:r:system:s0 >>>>>>> tcontext=u:object_r:unlabeled:s0 tclass=file >>>>>>> <5>[ 32.521057] type=1400 audit(1370711031.613:11): avc: denied >>>>>>> { execute } for pid=1827 comm="system_server" >>>>>>> path="/system/lib/libandroid_servers.so" dev=mmcblk0p25 ino=113 >>>>>>> scontext=u:r:system:s0 tcontext=u:object_r:unlabeled:s0 tclass=file >>>>>>> <5>[ 32.586761] type=1400 audit(1370711031.683:12): avc: denied >>>>>>> { read } for pid=1827 comm="system_server" >>>>>>> path=2F6465762F6173686D656D2F64616C76696B2D4C696E656172416C6C6F63202864656C6574656429 >>>>>>> dev=tmpfs ino=1576 scontext=u:r:system:s0 >>>>>>> tcontext=u:object_r:init_tmpfs:s0 >>>>>>> tclass=file >>>>>>> >>>>>>> If I understand this correctly, it looks like >>>>>>> system/lib/libandroid_servers is unlabeled even though build log showed >>>>>>> it >>>>>>> as being labeled. What could I be doing wrong? I tried several clober >>>>>>> builds, flashing via zip or fastboot but still everytime i get this and >>>>>>> a >>>>>>> lot of other denials stating unlabeled output. I know the setup is not >>>>>>> standard as per SEAndroid wiki, im just trying to understand why is this >>>>>>> causing denials. Also, all of my apk are treated as untrusted apps. Do >>>>>>> you >>>>>>> have maybe any advice for me? What could I be missing in my setup? >>>>>>> >>>>>>> Thank you very much in advance! >>>>>>> >>>>>>> -- >>>>>>> I have only two questions: How much and give it to me. >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Respectfully, >>>>>> >>>>>> William C Roberts >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Respectfully, >>>>> >>>>> William C Roberts >>>>> >>>>> >>>> >>> >>> >>> -- >>> I have only two questions: How much and give it to me. >>> >> >> >> >> -- >> Respectfully, >> >> William C Roberts >> >> > > > -- > I have only two questions: How much and give it to me. > -- Respectfully, William C Roberts
