On 05/25/2016 09:51 AM, Inamdar Sharif wrote: >> >> From: Stephen Smalley [mailto:[email protected]] >> Sent: Wednesday, May 25, 2016 6:43 PM >> To: Inamdar Sharif; [email protected] >> Subject: Re: SELinux failing with kernel 4.4 (Kernel panic) >> >> On 05/25/2016 08:38 AM, Inamdar Sharif wrote: >>>>>> [ 4.584035] audit: type=1400 audit(1464177814.820:4): avc: denied { >>>>>> write } for pid=1 comm="init" >>>>>> path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="rootfs" >>>>>> ino=9275 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 >>>>>> tclass=chr_file permissive=0 >>>>> >>>>> The path above decodes to /dev/__kmsg__ (deleted). The fact that it has >>>>> the rootfs type means you didn't have a /dev mounted before it was >>>>> created? >>>>> >>>> >>>> I am just changing the kernel. Rest all is same. SELinux works fine with >>>> 3.18 . Is this some issue in init?? >>> >>> system/core/init/init.cpp does this: >> > if (is_first_stage) { >>> mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755"); before it >>> does: >>> open_devnull_stdio(); >>> klog_init(); >>> >>> and system/core/libcutils/klog.c:klog_init() does the /dev/__kmsg__ node >>> creation. >>> >>> So you should have a tmpfs mount on /dev, and thus /dev/__kmsg__ should be >>> labeled tmpfs, and init.te has: >>> allow init tmpfs:chr_file create_file_perms; >>> >>> So, unless your kernel config doesn't enable TMPFS, I'm not sure why you >>> would end up with a rootfs /dev/__kmsg__. >>>> >>> I guess that's an interesting question - how does your .config differ >>> between 4.4 and 3.18? >>> >> >> Yes in 4.4 CONFIG_TMPFS is not enabled. > >Ok, I assume that was just an oversight on your part? Are you generating your >kernel config as per kernel/common/android/configs/README so that it includes >the base and recommended settings? Looks like TMPFS ought to be moved to >android->base.cfg since it is required by init. And maybe init ought to be >checking the return values of mount() calls...
Yes I am generating my kernel config as per kernel/common/android/configs/README Enabling CONFIG_TMPFS did the trick. I missed that. Yes we should add that in android-base.cfg (But this is not required if SELinux is disabled ) > >> >>>>>> Also one more issue which I am facing that I am not able to change >>>>>> the mode to permissive mode. >>>>>> >>>>>> I tried adding “BOARD_KERNEL_CMDLINE := androidboot.selinux=permissive” >>>>>> but no effect. >>>>> >>>>> Where did you add the variable? Is it being overridden elsewhere in >>>>> another .mk file? >>>>> >>>> >>>> I have added this variable in BoardConfig.mk. Is there any other way to do >>>> it?? >>> >>> I'd expect there to already be a BOARD_KERNEL_CMDLINE definition somewhere >>> in your BoardConfig.mk file (or BoardConfigCommon.mk, or another .mk file >>> that gets included). So I would check to see if there are any such >>> definitions in your device >>>orvendor trees and make sure that the >>> definition you added isn't just being overridden by another. >> >Usually you would append androidboot.selinux=permissive to an existing >> >BOARD_KERNEL_CMDLINE definition. >>> >> >> I tried using "+=" but still the same. Using + should take effect right?? > >It depends on whether there is a subsequent definition in the same file or >another file that does a := and thereby clobbers the definition entirely. >grep -r BOARD_KERNEL_CMDLINE device/<vendor>/<product> to see if you have it >defined anywhere. >Also check for any includes of other .mk files from outside >of your device tree. > Will check this. Thanks. ----------------------------------------------------------------------------------- This email message is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. ----------------------------------------------------------------------------------- _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
