On 10/27/2014 03:44 PM, [email protected] wrote: > So "ls -ZR /data | grep unlabeled" shows no other unlabeled data? > root@htc_m8:/data # ls -ZR > ls -ZR
So it looks like everything you can see under /data is labeled, but we can't really tell from that output whether the denied ones were unlabeled or labeled but not allowed by policy. Run dmesg or logcat to grab the latest set of avc: denied messages and see whether the target context was unlabeled or not. > What is the security context of your root shell (run id or ps -Z)? > root@htc_m8:/ # ps -Z > ps -Z > LABEL USER PID PPID NAME > u:r:init:s0 root 399 1 /system/bin/pnpmgr > u:r:init:s0 nobody 405 1 /system/bin/rmt_storage > u:r:init:s0 radio 419 1 /system/bin/qmuxd > u:r:init:s0 radio 422 1 /system/bin/netmgrd > u:r:init:s0 nobody 516 1 /system/bin/hvdcp > u:r:init:s0 root 532 1 > /system/bin/thermal-engine > u:r:init:s0 system 536 1 /system/bin/qseecomd > u:r:init:s0 media 537 1 /system/bin/adsprpcd > u:r:init:s0 system 545 1 /system/bin/time_daemon > u:r:init:s0 system 546 1 /system/bin/audiod > u:r:init:s0 system 547 1 /system/bin/wcnss_service > u:r:init:s0 root 681 1 /system/bin/htcserviced > u:r:init_shell:s0 root 768 1 /system/bin/htcramdumpqct > u:r:init:s0 system 989 536 /system/bin/qseecomd Unrelated to your unlabeled file issue, but all of these daemons need to be transitioned out of the init domain and into their own domain. For the qualcomm-based ones, you can find examples in device/lge/hammerhead at least as starting points. > u:r:shell:s0 root 3774 548 /system/bin/sh > u:r:shell:s0 root 4142 3774 ps Also unrelated to your unlabeled file issue, but your "root" shell is running in the SELinux shell domain and would therefore be denied any superuser capabilities and any access to unlabeled at least under AOSP policy. If you want to be able to run ls -Z /data/data, you'll need a root shell in the init or su domains. You can try allowing installd and system_server the missing permissions to unlabeled and see if that makes any difference. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
