Since these are not merged and will cause CTS failures due to modified
neverallow statements if backported, this simple change can be applied as a
stop-gap.
diff --git a/init/devices.cpp b/init/devices.cpp
index b48967f..a31b3d9 100644
--- a/init/devices.cpp
+++ b/init/devices.cpp
@@ -259,7 +259,7 @@ static void make_device(const char *path,
/* If the node already exists update its SELinux label to handle cases when
* it was created with the wrong context during coldboot procedure. */
if (mknod(path, mode, dev) && (errno == EEXIST)) {
- if (lsetfilecon(path, secontext)) {
+ if (block && lsetfilecon(path, secontext)) {
ERROR("Cannot set '%s' SELinux label on '%s' device (%s)\n",
secontext, path, strerror(errno));
}
From: Roberts, William C
Sent: Thursday, June 2, 2016 4:19 PM
To: [email protected]
Cc: Nick Kralevich <[email protected]>; Stephen Smalley <[email protected]>;
Jeffrey Vander Stoep <[email protected]>; Daniel Cashman <[email protected]>;
Serban, Mihai <[email protected]>
Subject: coldboot superfluous relabelfrom/relabelto
If anyone else sees a bunch of relabelfrom/relabelto's coming from ueventd,
like so:
[ 14.409448] type=1400 audit(978307239.225:26): avc: denied { relabelfrom }
for pid=1572 comm="ueventd" name="ttyS0" dev="tmpfs" ino=9613
scontext=u:r:ueventd:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file
permissive=1
[ 14.428107] type=1400 audit(978307239.225:27): avc: denied { relabelto } for
pid=1572 comm="ueventd" name="ttyS0" dev="tmpfs" ino=9613
scontext=u:r:ueventd:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file
permissive=1
The root causes are from changes:
system/core:
commit: 24a3cbfa732dc14c1a559f4ad79e1700fbae888f :
https://android-review.googlesource.com/219919
system/sepolicy:
commit: d41ad551189c1b7be26a1807980418858b2a132e:
https://android-review.googlesource.com/235336
The problem stems from the introduced call to lsetfilecon() which does so
without discretion.
The fix is to only call lsetfilecon() on a delta.
The introductory patches to correct the issue are here:
https://android-review.googlesource.com/#/q/topic:coldboot-fix
For those backporting any changes, bear in mind that these will need CTS fixes
and/or waivers.
Thanks to sds for helping me debug this.
----
Bill
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
