When you're booted into recovery mode, you should never be touching /data. /data is only suppose to be modified while the system is booted normally.
In particular, this operation will fail if the device is encrypted, since none of the files will be readable / writable. What are you trying to do? -- Nick 2014-10-21 17:36 GMT-07:00 심현용 <[email protected]>: > Hi, I have some problem in recovery mode. > > This is error log. > <5>[ 6.253512 / 01-01 09:17:40.910] type=1400 audit(33460.910:3): avc: > denied { write } for pid=226 comm="recovery" name="keystore" > dev="mmcblk0p42" ino=726245 scontext=u:r:recovery:s0 > tcontext=u:object_r:keystore_data_file:s0 tclass=dir > <5>[ 6.253540 / 01-01 09:17:40.910] type=1400 audit(33460.910:4): avc: > denied { remove_name } for pid=226 comm="recovery" name="user_0" > dev="mmcblk0p42" ino=726272 scontext=u:r:recovery:s0 > tcontext=u:object_r:keystore_data_file:s0 tclass=dir > <5>[ 6.253564 / 01-01 09:17:40.910] type=1400 audit(33460.910:5): avc: > denied { rmdir } for pid=226 comm="recovery" name="user_0" > dev="mmcblk0p42" ino=726272 scontext=u:r:recovery:s0 > tcontext=u:object_r:keystore_data_file:s0 tclass=dir > <5>[ 6.253658 / 01-01 09:17:40.910] type=1400 audit(33460.910:6): avc: > denied { unlink } for pid=226 comm="recovery" name=".metadata" > dev="mmcblk0p42" ino=726273 scontext=u:r:recovery:s0 > tcontext=u:object_r:keystore_data_file:s0 tclass=file > When I fixed this error, but it is neverallow. so I can't fixed this > issue. It cause build error because of neverallow. > > (google aosp policy path) android/external/sepolicy/keystore.te : > > 21 neverallow { domain -keystore } keystore_data_file:dir ~{ open create > read getattr setattr search relabelto }; > 22 neverallow { domain -keystore } > keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; > > It means all domain except keystore doesn't aceess at > keystore_data_file:dir write, remove_name, rmdir ...and so one, and > also all domain except keystore doesn't acess at keystore_data_file:file > unlink.. right? > > but I could find next line. > 24 neverallow { domain -keystore -init -kernel -recovery } > keystore_data_file:dir *; > 25 neverallow { domain -keystore -init -kernel -recovery } > keystore_data_file:notdevfile_class_set *; > > It means recovery domain allows all oprations at keystore_data_file:dir , > and file. > > I had confuse this neverallow policy. > > Please help me...as soon as possible. > > > > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > -- Nick Kralevich | Android Security | [email protected] | 650.214.4037
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
