The Label isn't for selinux, but rather for the volume label. the -S file_contexts is the important chunk
Bill On Sat, Jun 8, 2013 at 5:45 PM, Sava Mikalački <mikalac...@gmail.com> wrote: > Ok thanx, will try with the hack and let you know how it went. In the mean > time, I found this: > > > 1. + MAKE_EXT4FS_CMD='make_ext4fs -s -S > /opt/cm-10.1/out/target/product/vision/root/file_contexts -l 435941376 -a > system > > /opt/cm-10.1/out/target/product/vision/obj/PACKAGING/systemimage_intermediates/system.img > /opt/cm-10.1/out/target/product/vision/system' > 2. + echo make_ext4fs -s -S > /opt/cm-10.1/out/target/product/vision/root/file_contexts -l 435941376 -a > system > > /opt/cm-10.1/out/target/product/vision/obj/PACKAGING/systemimage_intermediates/system.img > /opt/cm-10.1/out/target/product/vision/system > 3. make_ext4fs -s -S > /opt/cm-10.1/out/target/product/vision/root/file_contexts -l 435941376 -a > system > > /opt/cm-10.1/out/target/product/vision/obj/PACKAGING/systemimage_intermediates/system.img > /opt/cm-10.1/out/target/product/vision/system > 4. + make_ext4fs -s -S > /opt/cm-10.1/out/target/product/vision/root/file_contexts -l 435941376 -a > system > > /opt/cm-10.1/out/target/product/vision/obj/PACKAGING/systemimage_intermediates/system.img > /opt/cm-10.1/out/target/product/vision/system > 5. Creating filesystem with parameters: > 6. Size: 435941376 > 7. Block size: 4096 > 8. Blocks per group: 32768 > 9. Inodes per group: 6656 > 10. Inode size: 256 > 11. Journal blocks: 1662 > 12. Label: > 13. Blocks: 106431 > 14. Block groups: 4 > 15. Reserved block group size: 31 > > > If im not mistaken, this is how make_ext4fs is called. Looking at > make_ext4fs_main.c, I noticed there is an -L switch for label. In my build, > there is no -L switch in make_ext4fs command. Could this means something? > Also, at the end of this build output, there is empty Label: between > Journal blocks and Blocks. > > > 2013/6/8 William Roberts <bill.c.robe...@gmail.com> > >> Ok cool, that's good. I am out of ideas for the time being, as I don't >> have the device in hand. >> >> For a nasty hack add a restorecon -R /system somewhere in a post_fs >> section of the init.rc, (system/core/rootdir) >> >> >> On Sat, Jun 8, 2013 at 5:35 PM, Sava Mikalački <mikalac...@gmail.com>wrote: >> >>> This is from my last build: http://pastebin.com/R8GDW3jT >>> >>> You can see that a lot of stuff from system is being printed out as >>> labeled, and after that the system.img is created. Now, im trying to fix >>> the issues when I introduce that patch, but I have build issues with some >>> files not being found, im gonna try and use seandroid repos for this. I >>> also checked, CM does have HAVE_SELINUX switches in their >>> system/extras/ext4utils. >>> >>> >>> 2013/6/8 William Roberts <bill.c.robe...@gmail.com> >>> >>>> Looks like make_ext4 isn't properly labeling system.img .... >>>> >>>> Perhaps they don't have all the support in system/extras as well... can >>>> you verify that that you see "Labeling ...." output during your build? >>>> Try applying that patch I sent before.. >>>> >>>> Or search system/extras/ext4utils for HAVE_SELINUX and let us know if >>>> that pops up in there. Just want to make sure the ext4 labeling support is >>>> indeed in the tool. >>>> >>>> Bill >>>> >>>> >>>> On Sat, Jun 8, 2013 at 4:57 PM, Sava Mikalački <mikalac...@gmail.com>wrote: >>>> >>>>> I tried several types of flashing: via fastboot and via update.zip. >>>>> When using update.zip, i tried formatting all of the partitions and the >>>>> flashing the zip file. >>>>> >>>>> As for logs, here they are: >>>>> Here is the 'ls -Z /' output: http://pastebin.com/J2QJpVSk >>>>> Here is the dmesg output on boot: http://pastebin.com/kiuMy7YC >>>>> >>>>> Im gonna try out the -v option for mkuserimg.sh now. >>>>> >>>>> Now, im using only libselinux and sepolicy from bitbucket seandroid, >>>>> all other stuff is from CM repos. Could this be a problem? I mean, me not >>>>> using bitbucket seandroid repos for all other parts of source tree, except >>>>> for libselinux and sepolicy? >>>>> >>>>> Thanks for your feedback and help, really appreciate it. >>>>> >>>>> >>>>> 2013/6/8 Robert Craig <robertpcr...@gmail.com> >>>>> >>>>>> Could you give us your dmesg output on boot and run 'ls -Z /'. That >>>>>> would certainly give us a bit more info. >>>>>> >>>>>> >>>>>> On Sat, Jun 8, 2013 at 3:46 PM, William Roberts < >>>>>> bill.c.robe...@gmail.com> wrote: >>>>>> >>>>>>> Oh one last thing, how are you flashing, via update.zip? >>>>>>> >>>>>>> >>>>>>> On Sat, Jun 8, 2013 at 3:46 PM, William Roberts < >>>>>>> bill.c.robe...@gmail.com> wrote: >>>>>>> >>>>>>>> Well your dissection of those denials is correct, you have >>>>>>>> an unlabeled file that needs to be labeled. Is that file in the >>>>>>>> system.img >>>>>>>> during build? You can modify the make_ext4 command and pass it -v >>>>>>>> during >>>>>>>> the build to get all the labels of the system image as well, sometimes >>>>>>>> useful when debugging. >>>>>>>> >>>>>>>> https://android-review.googlesource.com/#/c/49992 >>>>>>>> >>>>>>>> You can hack in the -v in: >>>>>>>> system/extras/ext4_utils/mkuserimg.sh >>>>>>>> >>>>>>>> diff --git a/ext4_utils/mkuserimg.sh b/ext4_utils/mkuserimg.sh >>>>>>>> index 1136a9e..ec516b2 100755 >>>>>>>> --- a/ext4_utils/mkuserimg.sh >>>>>>>> +++ b/ext4_utils/mkuserimg.sh >>>>>>>> @@ -52,7 +52,7 @@ if [ -n "$FC" ]; then >>>>>>>> FCOPT="-S $FC" >>>>>>>> fi >>>>>>>> >>>>>>>> -MAKE_EXT4FS_CMD="make_ext4fs $ENABLE_SPARSE_IMAGE $FCOPT -l $SIZE >>>>>>>> -a $MOUNT_POINT $OUTPUT_FILE $SRC_DIR" >>>>>>>> +MAKE_EXT4FS_CMD="make_ext4fs $ENABLE_SPARSE_IMAGE $FCOPT -v -l >>>>>>>> $SIZE -a $MOUNT_POINT $OUTPUT_FILE $SRC_DIR" >>>>>>>> echo $MAKE_EXT4FS_CMD >>>>>>>> $MAKE_EXT4FS_CMD >>>>>>>> if [ $? -ne 0 ]; then >>>>>>>> >>>>>>>> >>>>>>>> Onto the untrsued_app, that sounds right. Any apk that does not >>>>>>>> have a known signing key is treated as untrusted. >>>>>>>> >>>>>>>> See the readme in external/sepoliocy for config options, if you >>>>>>>> have questions, hit us back up. >>>>>>>> >>>>>>>> Bill >>>>>>>> >>>>>>>> >>>>>>>> On Sat, Jun 8, 2013 at 1:40 PM, Sava Mikalački < >>>>>>>> mikalac...@gmail.com> wrote: >>>>>>>> >>>>>>>>> Hello! >>>>>>>>> >>>>>>>>> I am relatively new to Android building and especially SEAndroid, >>>>>>>>> so sorry if im missing something, I tried to provide as much usefull >>>>>>>>> info >>>>>>>>> as I can. What I am trying to do is to build SEAndroid with >>>>>>>>> CyanogenMod 10 >>>>>>>>> for my Desire Z. After downloading the sources, i replaced >>>>>>>>> external/libselinux and external/sepolicy with the ones from seandroid >>>>>>>>> bitbucket, revision=seandroid. Also, im using HTC kernel 3.0 for >>>>>>>>> msm7x30 >>>>>>>>> with SELinux enabled. I managed to compile the system, it boots >>>>>>>>> properly >>>>>>>>> and SEAndroid is running in permissive mode. But, as soon as I >>>>>>>>> setenforce 1 >>>>>>>>> my device blocks. I get tons of AVC denials, but I guess its ok since >>>>>>>>> this >>>>>>>>> is a custom build for a device thats is not supported by CM nor >>>>>>>>> SEAndroid. >>>>>>>>> One thing I dont understand is this: when my system builds, I get a >>>>>>>>> lot of >>>>>>>>> Labeling outputs, and one of them looks like this: >>>>>>>>> Labeling /system/lib/libandroid_servers.so as >>>>>>>>> u:object_r:system_file:s0 >>>>>>>>> >>>>>>>>> Now, when I boot the device, I exported /proc/kmsg and I get this >>>>>>>>> avc denied: >>>>>>>>> <5>[ 32.514526] type=1400 audit(1370711031.613:7): avc: denied >>>>>>>>> { search } for pid=1827 comm="system_server" name="/" dev=mmcblk0p25 >>>>>>>>> ino=2 scontext=u:r:system:s0 tcontext=u:object_r:unlabeled:s0 >>>>>>>>> tclass=dir >>>>>>>>> <5>[ 32.515380] type=1400 audit(1370711031.613:8): avc: denied >>>>>>>>> { getattr } for pid=1827 comm="system_server" >>>>>>>>> path="/system/lib/libandroid_servers.so" dev=mmcblk0p25 ino=113 >>>>>>>>> scontext=u:r:system:s0 tcontext=u:object_r:unlabeled:s0 tclass=file >>>>>>>>> <5>[ 32.515747] type=1400 audit(1370711031.613:9): avc: denied >>>>>>>>> { read } for pid=1827 comm="system_server" >>>>>>>>> name="libandroid_servers.so" >>>>>>>>> dev=mmcblk0p25 ino=113 scontext=u:r:system:s0 >>>>>>>>> tcontext=u:object_r:unlabeled:s0 tclass=file >>>>>>>>> <5>[ 32.516082] type=1400 audit(1370711031.613:10): avc: denied >>>>>>>>> { open } for pid=1827 comm="system_server" >>>>>>>>> name="libandroid_servers.so" >>>>>>>>> dev=mmcblk0p25 ino=113 scontext=u:r:system:s0 >>>>>>>>> tcontext=u:object_r:unlabeled:s0 tclass=file >>>>>>>>> <5>[ 32.521057] type=1400 audit(1370711031.613:11): avc: denied >>>>>>>>> { execute } for pid=1827 comm="system_server" >>>>>>>>> path="/system/lib/libandroid_servers.so" dev=mmcblk0p25 ino=113 >>>>>>>>> scontext=u:r:system:s0 tcontext=u:object_r:unlabeled:s0 tclass=file >>>>>>>>> <5>[ 32.586761] type=1400 audit(1370711031.683:12): avc: denied >>>>>>>>> { read } for pid=1827 comm="system_server" >>>>>>>>> path=2F6465762F6173686D656D2F64616C76696B2D4C696E656172416C6C6F63202864656C6574656429 >>>>>>>>> dev=tmpfs ino=1576 scontext=u:r:system:s0 >>>>>>>>> tcontext=u:object_r:init_tmpfs:s0 >>>>>>>>> tclass=file >>>>>>>>> >>>>>>>>> If I understand this correctly, it looks like >>>>>>>>> system/lib/libandroid_servers is unlabeled even though build log >>>>>>>>> showed it >>>>>>>>> as being labeled. What could I be doing wrong? I tried several clober >>>>>>>>> builds, flashing via zip or fastboot but still everytime i get this >>>>>>>>> and a >>>>>>>>> lot of other denials stating unlabeled output. I know the setup is not >>>>>>>>> standard as per SEAndroid wiki, im just trying to understand why is >>>>>>>>> this >>>>>>>>> causing denials. Also, all of my apk are treated as untrusted apps. >>>>>>>>> Do you >>>>>>>>> have maybe any advice for me? What could I be missing in my setup? >>>>>>>>> >>>>>>>>> Thank you very much in advance! >>>>>>>>> >>>>>>>>> -- >>>>>>>>> I have only two questions: How much and give it to me. >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Respectfully, >>>>>>>> >>>>>>>> William C Roberts >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Respectfully, >>>>>>> >>>>>>> William C Roberts >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> I have only two questions: How much and give it to me. >>>>> >>>> >>>> >>>> >>>> -- >>>> Respectfully, >>>> >>>> William C Roberts >>>> >>>> >>> >>> >>> -- >>> I have only two questions: How much and give it to me. >>> >> >> >> >> -- >> Respectfully, >> >> William C Roberts >> >> > > > -- > I have only two questions: How much and give it to me. > -- Respectfully, William C Roberts
