On 06/24/2014 01:13 PM, Stephen Smalley wrote:
> On 06/24/2014 12:51 PM, Stephen Smalley wrote:
>> On 06/24/2014 12:44 PM, Dinesh Garg wrote:
>>> now I have following rules:
>>>
>>> allow test ssd_device:blk_file {read write getattr open ioctl};
>>> allow test block_device:dir search;
>>>
>>> Now I am getting following denials:
>>> 01-07 17:02:48.259 I/auditd ( 270): type=1400 audit(0.0:5): avc:
>>> denied { read write } for comm="test" name="mmcblk0p23" dev="tmpfs"
>>> ino=9154 scontext=u:r:test:s0
>>> tcontext=u:object_r:storage_partition_device:s0 tclass=blk_file
>>>
>>> ssd is linked as follows:
>>>
>>> shell@dinesh:/dev/block/bootdevice/by-name # ls -l
>>> lrwxrwxrwx root root 1970-01-07 17:02 ssd ->
>>> /dev/block/mmcblk0p23
>>>
>>> Looks like some change is required in patches to resolve the original issue.
>>
>> You must have specified an entry for /dev/block/mmcblk0p23
>> u:object_r:storage_partition_device:s0 in your file_contexts file
>> elsewhere, such that it is taking precedence. Remove that and you
>> should be fine.
>
> Our policy does not define a storage_partition_device type at all, much
> less assign it to any device files in file_contexts, so this is specific
> to your policy. We would need to see your file_contexts entries,
> particularly ones with a /dev/block prefix.
>
> Also, is /dev/block/bootdevice a symlink to a directory or an actual
> directory?
>
> If you uncomment the following line in system/core/init/Android.mk and
> force a rebuild of init, you'll get more info from ueventd (capture with
> adb shell su 0 cat /proc/kmsg > dmesg.txt):
> LOCAL_CFLAGS += -DLOG_UEVENTS=1
Actually, the attached patch will likely prove more useful in debugging
the issue. Apply to system/core on top of the existing one, rebuild
init and your boot image, reflash, boot, and capture /proc/kmsg as
above. Should see entries like:
<3>[ 2.689764] init: Looking up best match for /dev/block/mmcblk0p12
<3>[ 2.689807] init: With the following link names:
<3>[ 2.689880] init: /dev/block/platform/msm_sdcc.1/by-name/modemst1
<3>[ 2.689922] init: /dev/block/platform/msm_sdcc.1/by-num/p12
<3>[ 2.689995] init: /dev/block/platform/msm_sdcc.1/mmcblk0p12
diff --git a/init/devices.c b/init/devices.c
index ea9a4b2..b4b9bfc 100644
--- a/init/devices.c
+++ b/init/devices.c
@@ -214,10 +214,17 @@ static void make_device(const char *path,
mode_t mode;
dev_t dev;
char *secontext = NULL;
+ int i;
mode = get_device_perm(path, &uid, &gid) | (block ? S_IFBLK : S_IFCHR);
if (sehandle) {
+ ERROR("Looking up best match for %s\n", path);
+ if (links) {
+ ERROR(" With the following link names:\n");
+ for (i = 0; links[i]; i++)
+ ERROR(" %s\n", links[i]);
+ }
selabel_lookup_best_match(sehandle, &secontext, path, links, mode);
setfscreatecon(secontext);
}
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
