From: Stephen Smalley [mailto:[email protected]]
Sent: Wednesday, May 25, 2016 6:43 PM
To: Inamdar Sharif; [email protected]
Subject: Re: SELinux failing with kernel 4.4 (Kernel panic)
On 05/25/2016 08:38 AM, Inamdar Sharif wrote:
>>>> [ 4.584035] audit: type=1400 audit(1464177814.820:4): avc: denied {
>>>> write } for pid=1 comm="init"
>>>> path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="rootfs"
>>>> ino=9275 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0
>>>> tclass=chr_file permissive=0
>>>
>>> The path above decodes to /dev/__kmsg__ (deleted). The fact that it has
>>> the rootfs type means you didn't have a /dev mounted before it was created?
>>>
>>
> >I am just changing the kernel. Rest all is same. SELinux works fine with
> >3.18 . Is this some issue in init??
>
>system/core/init/init.cpp does this:
> if (is_first_stage) {
> mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755"); before it
> does:
> open_devnull_stdio();
> klog_init();
>
>and system/core/libcutils/klog.c:klog_init() does the /dev/__kmsg__ node
>creation.
>
>So you should have a tmpfs mount on /dev, and thus /dev/__kmsg__ should be
>labeled tmpfs, and init.te has:
>allow init tmpfs:chr_file create_file_perms;
>
>So, unless your kernel config doesn't enable TMPFS, I'm not sure why you would
>end up with a rootfs /dev/__kmsg__.
>
>I guess that's an interesting question - how does your .config differ between
>4.4 and 3.18?
>
Yes in 4.4 CONFIG_TMPFS is not enabled.
>>>> Also one more issue which I am facing that I am not able to change
>>>> the mode to permissive mode.
>>>>
>>>> I tried adding “BOARD_KERNEL_CMDLINE := androidboot.selinux=permissive”
>>>> but no effect.
>>>
>>> Where did you add the variable? Is it being overridden elsewhere in
>>> another .mk file?
>>>
>>
>> I have added this variable in BoardConfig.mk. Is there any other way to do
>> it??
>
>I'd expect there to already be a BOARD_KERNEL_CMDLINE definition somewhere in
>your BoardConfig.mk file (or BoardConfigCommon.mk, or another .mk file that
>gets included). So I would check to see if there are any such definitions in
>your device or >vendor trees and make sure that the definition you added isn't
>just being overridden by another.
>Usually you would append androidboot.selinux=permissive to an existing
>BOARD_KERNEL_CMDLINE definition.
>
I tried using "+=" but still the same. Using + should take effect right??
>>
>>> Is this a -userdebug or -eng build?
>>>
>> It’s a -eng build.
>>
>>> Are you using AOSP master or a particular release?
>>>
>>
>> I am using AOSP master/android-4.4
-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may
contain
confidential information. Any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recipient, please contact the
sender by
reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
