On 21 October 2015 at 10:23, Jeffrey Vander Stoep <je...@google.com> wrote:
> > You should already have the proper functionality in 3.18. See if you have: > > commit b43e725d8d386bf2092473953b525aaae71b6c28 > > Author: Eric Paris <epa...@redhat.com> > > Date: Wed Oct 10 14:27:35 2012 -0400 > > SELinux: use a helper function to determine seclabel > You are right, we have this commit in the 3.18 kernel. Then how to explain why Nexus9 does not need the following rules? allow init cache_file:dir mounton; allow init storage_file:dir mounton; Thanks, Yongqin Liu > > On Tue, Oct 20, 2015 at 6:58 PM YongQin Liu <yongqin....@linaro.org> > wrote: > >> Hi, Stephen, Jeffrey >> >> On 21 October 2015 at 05:05, Stephen Smalley <stephen.smal...@gmail.com> >> wrote: >> >>> Are you using the initramfs contents as your rootfs, >> >> We are using the initramfs as rootfs. >> >> And our kernel is based on the 3.18 version, and does not applied the >> patch here: >> https://android-review.googlesource.com/#/c/58360/ >> >> Should we apply this patch to our kernel? >> >> Thanks, >> Yongqin Liu >> >> >>> or pivoting to an >>> ext4 root filesystem image that you built? >>> >>> On Tue, Oct 20, 2015 at 10:59 AM, YongQin Liu <yongqin....@linaro.org> >>> wrote: >>> > Hi, All >>> > >>> > When I tried the Marshmallow version on our platforms, I got following >>> > warnings: >>> > avc: denied { mounton } for pid=1 comm="init" path="/cache" >>> dev="rootfs" >>> > ino=73 scontext=u:r:init:s0 tcontext=u:object_r:cache_file:s0 >>> tclass=dir >>> > permissive=1 >>> > avc: denied { mounton } for pid=1 comm="init" path="/storage" >>> dev="rootfs" >>> > ino=73 scontext=u:r:init:s0 tcontext=u:object_r:storage_file:s0 >>> tclass=dir >>> > permissive=1 >>> > >>> > To remove this warnings, I need to add following rules into the init.te >>> > file: >>> > allow init cache_file:dir mounton; >>> > allow init storage_file:dir mounton; >>> > >>> > but I did not see similar rules added into the init.te file for Nexus9 >>> > build(device/htc/flounder/sepolicy/), >>> > and there is no such warnings on the Nexus9 build too. >>> > >>> > I am confused on why Nexus9 does not need the mounton rules for init >>> domain, >>> > and does not have the warnings. >>> > >>> > Anyone here can help to explain for me or point me where I should >>> check? >>> > >>> > Thanks in advance! >>> > -- >>> > Best Regards, >>> > Yongqin Liu >>> > --------------------------------------------------------------- >>> > #mailing list >>> > linaro-andr...@lists.linaro.org >>> > http://lists.linaro.org/mailman/listinfo/linaro-android >>> > >>> > _______________________________________________ >>> > Seandroid-list mailing list >>> > Seandroid-list@tycho.nsa.gov >>> > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. >>> > To get help, send an email containing "help" to >>> > seandroid-list-requ...@tycho.nsa.gov. >>> >> >> >> >> -- >> Best Regards, >> Yongqin Liu >> --------------------------------------------------------------- >> #mailing list >> linaro-andr...@lists.linaro.org <linaro-...@lists.linaro.org> >> http://lists.linaro.org/mailman/listinfo/linaro-android >> > -- Best Regards, Yongqin Liu --------------------------------------------------------------- #mailing list linaro-andr...@lists.linaro.org <linaro-...@lists.linaro.org> http://lists.linaro.org/mailman/listinfo/linaro-android
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
