On Jun 20, 2016 01:24, "YongQin Liu" <[email protected]> wrote:
>
> Hi, William
>
> Sorry for late response, my laptop OS was crashed last Friday:(
>
> Thanks for your suggestion first, and some comments in line.
> On 17 June 2016 at 07:50, William Roberts <[email protected]>
wrote:
>>
>> Typing this from my phone, might not be great. Dac override is triggered
when the process permissions don't match with the owner group and mode of a
file. Dan Walsh has info on it here:
http://danwalsh.livejournal.com/69478.html
>
>
> I checked that, but still not find a good method to know which
file/operation caused that denials.
>>
>> I would try and add an auditallow statement(s) to find what file it's
accessing that might be causing this, and then adjust the dac permissions
accordingly.
>
> After I added following rule:
> auditallow logd self:capability dac_override;
No I meant on file types, something like this:
auditallow logd file_type:{file dir} *;
I'm typing that from memory from a smart phone so it might not be 100%
correct. But you want to get it to show you what files it's accessing, you
already know about DAC override.
Additionally uou could enable the per auacall audti subsystem but its a
little bit of work in the kernel to do that.
>
> I got following message in console log:
> [ 7.076059] audit: type=1400 audit(10.759:3): avc: denied {
dac_override } for pid=1734 comm="logd" capability=1 scontext=u:r:logd:s0
tcontext=u:r:logd:s0 tclass=capability permissive=1
> [ 7.093377] audit: type=1400 audit(10.775:4): avc: granted {
dac_override } for pid=1734 comm="logd" capability=1 scontext=u:r:logd:s0
tcontext=u:r:logd:s0 tclass=capability
> [ 7.107007] (stk) :ldisc installation timeout
> [ 7.114174] (stk) :ldisc_install = 0
> [ 7.114176] audit: type=1400 audit(10.795:5): avc: granted {
dac_override } for pid=1734 comm="logd" capability=1 scontext=u:r:logd:s0
tcontext=u:r:logd:s0 tclass=capability
> [ 7.149786] logd.auditd: start
> [ 7.152983] logd.klogd: 7110154165
> [ 7.193079] logd.auditd: policy loaded
> [ 7.199590] logd.auditd: integrity enforcement suppressed; not
rebooting
>
> Seems no clue on which file caused that denials.
>
> Do you have any comments on the output above?
>
> Thanks,
> Yongqin Liu
>
>>
>> On Jun 16, 2016 09:50, "YongQin Liu" <[email protected]> wrote:
>>>
>>> Hi, ALL
>>>
>>> I am playing the AOSP master with hikey board, and I get the
following dac_override avc denial on logd command:
>>>
>>> avc: denied { dac_override } for pid=1763 comm="logd" capability=1
scontext=u:r:logd:s0 tcontext=u:r:logd:s0 tclass=capability permissive=1
>>>
>>> I built the same source for Nexus9 board, and I did not see such
dac_override denial on logd with that Nexus9 board.
>>>
>>> Searched "logd" in he device projects for hikey and Nexus9, but did not
find any clue on that
>>> why I got the dac_override avc denial on logd with the hikey build,
>>>
>>>
>>> Referenced the document here:
>>>
http://source.android.com/security/selinux/device-policy.html#granting_the_dac_override_capability
>>>
>>> But still have no idea how to change to eliminate the dac_override
denial for logd command.
>>>
>>> Do you have any idea on what happens there, or where to check on it?
>>>
>>> Thanks in advance!
>>>
>>> --
>>> Best Regards,
>>> Yongqin Liu
>>> ---------------------------------------------------------------
>>> #mailing list
>>> [email protected]
>>> http://lists.linaro.org/mailman/listinfo/linaro-android
>>>
>>> _______________________________________________
>>> Seandroid-list mailing list
>>> [email protected]
>>> To unsubscribe, send email to [email protected].
>>> To get help, send an email containing "help" to
[email protected].
>
>
>
>
> --
> Best Regards,
> Yongqin Liu
> ---------------------------------------------------------------
> #mailing list
> [email protected]
> http://lists.linaro.org/mailman/listinfo/linaro-android
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
