>>The path above decodes to /dev/__kmsg__ (deleted). The fact that it has the >>rootfs type means you didn't have a /dev mounted before it was created?
-----Original Message----- From: Stephen Smalley [mailto:[email protected]] Sent: Wednesday, May 25, 2016 5:58 PM To: Inamdar Sharif; [email protected] Subject: Re: SELinux failing with kernel 4.4 (Kernel panic) On 05/25/2016 08:08 AM, Inamdar Sharif wrote: >> Hi Guys, >> >> >> >> I am getting the following denials and kernel panic while enabling >> SELinux on k4.4 >> >> >> >> <snip> >> >> [ 4.402909] init: init started! >> >> [ 4.413108] SELinux: Android master kernel running Android M policy >> in compatibility mode. >> >> [ 4.426907] SELinux: Permission module_load in class system not >> defined in policy. >For module_load, you need this change for policy: >https://android-review.googlesource.com/#/c/213981/ >> >> [ 4.434937] SELinux: Class netlink_iscsi_socket not defined in policy. >> >> [ 4.441594] SELinux: Class netlink_fib_lookup_socket not defined in >> policy. >> >> [ 4.448697] SELinux: Class netlink_connector_socket not defined in >> policy. >> >> [ 4.455667] SELinux: Class netlink_netfilter_socket not defined in >> policy. >> >> [ 4.462666] SELinux: Class netlink_generic_socket not defined in policy. >> >> [ 4.469468] SELinux: Class netlink_scsitransport_socket not defined >> in policy. >> >> [ 4.476813] SELinux: Class netlink_rdma_socket not defined in policy. >> >> [ 4.483343] SELinux: Class netlink_crypto_socket not defined in policy. > >For the new netlink classes, you need this change from policy: >https://android-review.googlesource.com/#/c/151750/ > > >> [ 4.490120] SELinux: the above unknown classes and permissions will >> be denied >> >> [ 4.545590] audit: type=1403 audit(1464177814.780:2): policy loaded >> auid=4294967295 ses=4294967295 >> >> [ 4.555021] audit: type=1404 audit(1464177814.792:3): enforcing=1 >> old_enforcing=0 auid=4294967295 ses=4294967295 >> >> [ 4.584035] audit: type=1400 audit(1464177814.820:4): avc: denied { >> write } for pid=1 comm="init" >> path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="rootfs" >> ino=9275 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 >> tclass=chr_file permissive=0 > >The path above decodes to /dev/__kmsg__ (deleted). The fact that it has the >rootfs type means you didn't have a /dev mounted before it was created? > I am just changing the kernel. Rest all is same. SELinux works fine with 3.18 . Is this some issue in init?? >> >> [ 4.616270] audit: type=1400 audit(1464177814.852:5): avc: denied { >> read write } for pid=1 comm="init" >> path=2F6465762F5F5F6E756C6C5F5F202864656C6574656429 dev="rootfs" >> ino=9274 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 >> tclass=chr_file permissive=0 >> >> [ 4.639288] audit: type=1400 audit(1464177814.872:6): avc: denied { >> read write } for pid=1 comm="init" >> path=2F6465762F5F5F6E756C6C5F5F202864656C6574656429 dev="rootfs" >> ino=9274 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 >> tclass=chr_file permissive=0 >> >> [ 4.662281] audit: type=1400 audit(1464177814.900:7): avc: denied { >> read write } for pid=1 comm="init" >> path=2F6465762F5F5F6E756C6C5F5F202864656C6574656429 dev="rootfs" >> ino=9274 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 >> tclass=chr_file permissive=0 >> >> [ 4.686902] audit: type=1400 audit(1464177814.920:8): avc: denied { >> create } for pid=1 comm="init" name="__kmsg__" scontext=u:r:init:s0 >> tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=0 >> >> [ 4.704615] audit: type=1400 audit(1464177814.940:9): avc: denied { >> create } for pid=1 comm="init" name="__kmsg__" scontext=u:r:init:s0 >> tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=0 >> >> [ 4.722262] audit: type=1400 audit(1464177814.960:10): avc: denied >> { create } for pid=1 comm="init" name=".booting" scontext=u:r:init:s0 >> tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 >> >> [ 4.739943] Kernel panic - not syncing: Attempted to kill init! >> exitcode=0x00000100 >> >> </snip> >> >> >> >> I am using the AOSP kernel 4.4 >> https://android.googlesource.com/kernel/common/+/android-4.4 >> >> >> >> >> >> Also one more issue which I am facing that I am not able to change the >> mode to permissive mode. >> >> I tried adding “BOARD_KERNEL_CMDLINE := androidboot.selinux=permissive” >> but no effect. > >Where did you add the variable? Is it being overridden elsewhere in another >.mk file? > I have added this variable in BoardConfig.mk. Is there any other way to do it?? >Is this a -userdebug or -eng build? > It’s a -eng build. >Are you using AOSP master or a particular release? > I am using AOSP master/android-4.4 >> >> >> >> Am I missing any kernel changes which can solve this issue?? Thanks. ----------------------------------------------------------------------------------- This email message is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. ----------------------------------------------------------------------------------- _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
