On Jun 20, 2016 07:51, "William Roberts" <bill.c.robe...@gmail.com> wrote: > > > On Jun 20, 2016 01:24, "YongQin Liu" <yongqin....@linaro.org> wrote: > > > > Hi, William > > > > Sorry for late response, my laptop OS was crashed last Friday:( > > > > Thanks for your suggestion first, and some comments in line. > > On 17 June 2016 at 07:50, William Roberts <bill.c.robe...@gmail.com> wrote: > >> > >> Typing this from my phone, might not be great. Dac override is triggered when the process permissions don't match with the owner group and mode of a file. Dan Walsh has info on it here: http://danwalsh.livejournal.com/69478.html > > > > > > I checked that, but still not find a good method to know which file/operation caused that denials. > >> > >> I would try and add an auditallow statement(s) to find what file it's accessing that might be causing this, and then adjust the dac permissions accordingly. > > > > After I added following rule: > > auditallow logd self:capability dac_override; > > No I meant on file types, something like this: > auditallow logd file_type:{file dir} *; > > I'm typing that from memory from a smart phone so it might not be 100% correct. But you want to get it to show you what files it's accessing, you already know about DAC override.
Also probably want to do fs_type on the target type as well since it might be syscall or something like that. > > Additionally uou could enable the per auacall audti subsystem but its a little bit of work in the kernel to do that. Mangled, I meant per syscall audit system. > > > > > I got following message in console log: > > [ 7.076059] audit: type=1400 audit(10.759:3): avc: denied { dac_override } for pid=1734 comm="logd" capability=1 scontext=u:r:logd:s0 tcontext=u:r:logd:s0 tclass=capability permissive=1 > > [ 7.093377] audit: type=1400 audit(10.775:4): avc: granted { dac_override } for pid=1734 comm="logd" capability=1 scontext=u:r:logd:s0 tcontext=u:r:logd:s0 tclass=capability > > [ 7.107007] (stk) :ldisc installation timeout > > [ 7.114174] (stk) :ldisc_install = 0 > > [ 7.114176] audit: type=1400 audit(10.795:5): avc: granted { dac_override } for pid=1734 comm="logd" capability=1 scontext=u:r:logd:s0 tcontext=u:r:logd:s0 tclass=capability > > [ 7.149786] logd.auditd: start > > [ 7.152983] logd.klogd: 7110154165 > > [ 7.193079] logd.auditd: policy loaded > > [ 7.199590] logd.auditd: integrity enforcement suppressed; not rebooting > > > > Seems no clue on which file caused that denials. > > > > Do you have any comments on the output above? > > > > Thanks, > > Yongqin Liu > > > >> > >> On Jun 16, 2016 09:50, "YongQin Liu" <yongqin....@linaro.org> wrote: > >>> > >>> Hi, ALL > >>> > >>> I am playing the AOSP master with hikey board, and I get the following dac_override avc denial on logd command: > >>> > >>> avc: denied { dac_override } for pid=1763 comm="logd" capability=1 scontext=u:r:logd:s0 tcontext=u:r:logd:s0 tclass=capability permissive=1 > >>> > >>> I built the same source for Nexus9 board, and I did not see such dac_override denial on logd with that Nexus9 board. > >>> > >>> Searched "logd" in he device projects for hikey and Nexus9, but did not find any clue on that > >>> why I got the dac_override avc denial on logd with the hikey build, > >>> > >>> > >>> Referenced the document here: > >>> http://source.android.com/security/selinux/device-policy.html#granting_the_dac_override_capability > >>> > >>> But still have no idea how to change to eliminate the dac_override denial for logd command. > >>> > >>> Do you have any idea on what happens there, or where to check on it? > >>> > >>> Thanks in advance! > >>> > >>> -- > >>> Best Regards, > >>> Yongqin Liu > >>> --------------------------------------------------------------- > >>> #mailing list > >>> linaro-andr...@lists.linaro.org > >>> http://lists.linaro.org/mailman/listinfo/linaro-android > >>> > >>> _______________________________________________ > >>> Seandroid-list mailing list > >>> Seandroid-list@tycho.nsa.gov > >>> To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > >>> To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov. > > > > > > > > > > -- > > Best Regards, > > Yongqin Liu > > --------------------------------------------------------------- > > #mailing list > > linaro-andr...@lists.linaro.org > > http://lists.linaro.org/mailman/listinfo/linaro-android
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.