Thanks Stephen. That explains most of the part. -----Original Message----- From: Stephen Smalley [mailto:[email protected]] Sent: Wednesday, May 25, 2016 8:11 PM To: Inamdar Sharif; [email protected] Subject: Re: SELinux failing with kernel 4.4 (Kernel panic)
On 05/25/2016 10:17 AM, Inamdar Sharif wrote: > On 05/25/2016 09:51 AM, Inamdar Sharif wrote: >>> >>> From: Stephen Smalley [mailto:[email protected]] >>> Sent: Wednesday, May 25, 2016 6:43 PM >>> To: Inamdar Sharif; [email protected] >>> Subject: Re: SELinux failing with kernel 4.4 (Kernel panic) >>> >>> On 05/25/2016 08:38 AM, Inamdar Sharif wrote: >>>>>>> [ 4.584035] audit: type=1400 audit(1464177814.820:4): avc: denied { >>>>>>> write } for pid=1 comm="init" >>>>>>> path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="rootfs" >>>>>>> ino=9275 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 >>>>>>> tclass=chr_file permissive=0 >>>>>> >>>>>> The path above decodes to /dev/__kmsg__ (deleted). The fact that it has >>>>>> the rootfs type means you didn't have a /dev mounted before it was >>>>>> created? >>>>>> >>>>> >>>>> I am just changing the kernel. Rest all is same. SELinux works fine with >>>>> 3.18 . Is this some issue in init?? >>>> >>>> system/core/init/init.cpp does this: >>> > if (is_first_stage) { >>>> mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755"); before it >>>> does: >>>> open_devnull_stdio(); >>>> klog_init(); >>>> >>>> and system/core/libcutils/klog.c:klog_init() does the /dev/__kmsg__ node >>>> creation. >>>> >>>> So you should have a tmpfs mount on /dev, and thus /dev/__kmsg__ should be >>>> labeled tmpfs, and init.te has: >>>> allow init tmpfs:chr_file create_file_perms; >>>> >>>> So, unless your kernel config doesn't enable TMPFS, I'm not sure why you >>>> would end up with a rootfs /dev/__kmsg__. >>>>> >>>> I guess that's an interesting question - how does your .config differ >>>> between 4.4 and 3.18? >>>> >>> >>> Yes in 4.4 CONFIG_TMPFS is not enabled. >> >> Ok, I assume that was just an oversight on your part? Are you generating >> your kernel config as per kernel/common/android/configs/README so that it >> includes the base and recommended settings? Looks like TMPFS ought to be >> moved to android->base.cfg since it is required by init. And maybe init >> ought to be checking the return values of mount() calls... > > Yes I am generating my kernel config as per > kernel/common/android/configs/README > Enabling CONFIG_TMPFS did the trick. I missed that. > > Yes we should add that in android-base.cfg (But this is not required > if SELinux is disabled ) No, it is actually independent of SELinux; SELinux is just the messenger here. The init code and the init.rc file both assume that tmpfs is available to them, and while your system might boot in the absence of tmpfs without SELinux, it won't be operating correctly - you will be storing files directly in the rootfs that were intended to live in their own tmpfs mounts. CONFIG_TMPFS=y is in android-recommended.cfg, so it should be included if following the README since it says to pass both to merge_config.sh, but it does belong in android-base.cfg given the hardcoded dependencies in init and init.rc (and probably elsewhere too). ----------------------------------------------------------------------------------- This email message is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. ----------------------------------------------------------------------------------- _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
