Q . I have some question about keystore neverallow policy.

Tue, 21 Oct 2014 17:41:00 -0700 

Hi, I have some problem in recovery mode.

This is error log.
<5>[    6.253512 / 01-01 09:17:40.910] type=1400 audit(33460.910:3): avc:
denied  { write } for  pid=226 comm="recovery" name="keystore"
dev="mmcblk0p42" ino=726245 scontext=u:r:recovery:s0
tcontext=u:object_r:keystore_data_file:s0 tclass=dir
<5>[    6.253540 / 01-01 09:17:40.910] type=1400 audit(33460.910:4): avc:
denied  { remove_name } for  pid=226 comm="recovery" name="user_0"
dev="mmcblk0p42" ino=726272 scontext=u:r:recovery:s0
tcontext=u:object_r:keystore_data_file:s0 tclass=dir
<5>[    6.253564 / 01-01 09:17:40.910] type=1400 audit(33460.910:5): avc:
denied  { rmdir } for  pid=226 comm="recovery" name="user_0"
dev="mmcblk0p42" ino=726272 scontext=u:r:recovery:s0
tcontext=u:object_r:keystore_data_file:s0 tclass=dir
<5>[    6.253658 / 01-01 09:17:40.910] type=1400 audit(33460.910:6): avc:
denied  { unlink } for  pid=226 comm="recovery" name=".metadata"
dev="mmcblk0p42" ino=726273 scontext=u:r:recovery:s0
tcontext=u:object_r:keystore_data_file:s0 tclass=file
When I fixed this error, but it is neverallow. so I can't fixed this issue.
It cause build error because of neverallow.

(google aosp policy path) android/external/sepolicy/keystore.te :

 21 neverallow { domain -keystore } keystore_data_file:dir ~{ open create
read getattr setattr search relabelto };
 22 neverallow { domain -keystore } keystore_data_file:notdevfile_class_set
~{ relabelto getattr };

It means all domain except keystore doesn't aceess at
keystore_data_file:dir write, remove_name, rmdir ...and so one, and
also all domain except keystore doesn't acess at keystore_data_file:file
unlink.. right?

but I could find next line.
24 neverallow { domain -keystore -init -kernel -recovery }
keystore_data_file:dir *;
25 neverallow { domain -keystore -init -kernel -recovery }
keystore_data_file:notdevfile_class_set *;

It means recovery domain allows all oprations at keystore_data_file:dir ,
and file.

I had confuse this neverallow policy.

Please help me...as soon as possible.

_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to 
[email protected].

Reply via email to