On 10/27/2014 02:26 PM, [email protected] wrote: > Hi Stephen, > Thanks your great support for HTC. Thank so much your help. > > 1. This upgrade from L-LRX14C (Enforcing) to L-LRX16G (Enforcing), not > android 4.2.
Hmm...but unlabeled files should only exist on pre-SELinux releases, e.g. 4.2 and earlier, and thus if the device was originally installed with 4.3 or later I wouldn't expect any unlabeled files to exist. > 2. On upgrades, /data should be labeled automatically in two stages: > 2.1 At Init.rc, we found that restorecon_recursive /data is exist in our > codebase. > 2.2 https://android-review.googlesource.com/#/c/89166/ => Included This was the most recent version of the code; I only included the latter ones in case you needed the full set of dependencies. So as long as it matched this one you're fine. Also, you can expect some differences since L has not yet been released into AOSP AFAIK and thus may diverge from AOSP master. > 2.3 https://android-review.googlesource.com/#/c/89216/ => Included Ditto. > 2.4 https://android-review.googlesource.com/#/c/82802/ => There are some > difference (Installer.java and PackageManagerService.java) That's ok; it just the older version in AOSP. > 2.5 https://android-review.googlesource.com/#/c/82970/ => There are some > rules not same in installd.te Ditto. > 3. Can you clarify whether it is files under /data that are unlabeled or just > ones under /data/data? > We can get label under /data, but cannot see ls -Z result under > /data/data that show Permission denied even I'm root. > 1|root@htc_m8:/data/data # ls -Z > ls -Z > opendir failed, Permission denied So "ls -ZR /data | grep unlabeled" shows no other unlabeled data? What is the security context of your root shell (run id or ps -Z)? > 4. If you allow system_server these permissions, does it proceed to relabel > the files? > Do you mean to clear all avc denied about unlabeled from installd.te and > system_server.te as below? > allow installd unlabeled:dir setattr > Line 4139: <6>[ 1127.173017] c1 427 type=1400 > audit(1414120844.274:2464): avc: denied { setattr } for pid=491 > comm="installd" name="com.hp.android.printservice" dev="mmcblk0p47" ino=82079 > scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir > allow system_server unlabeled:file write > Line 4151: <6>[ 1127.453015] c1 427 type=1400 > audit(1414120844.554:2465): avc: denied { write } for pid=27834 > comm="system_server" name="settings.db" dev="mmcblk0p47" ino=82146 sconte > t=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=file Yes, exactly. system_server and installd are supposed to relabel /data/data during the upgrade, so we may need to allow them certain permissions to unlabeled files for upgrade purposes but then the files should be labeled correctly thereafter. We already do this to some extent but not these particular permissions. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
