On Jun 20, 2016 07:51, "William Roberts" <bill.c.robe...@gmail.com> wrote:
>
>
> On Jun 20, 2016 01:24, "YongQin Liu" <yongqin....@linaro.org> wrote:
> >
> > Hi, William
> >
> > Sorry for late response, my laptop OS was crashed last Friday:(
> >
> > Thanks for your suggestion first, and some comments in line.
> > On 17 June 2016 at 07:50, William Roberts <bill.c.robe...@gmail.com>
wrote:
> >>
> >> Typing this from my phone, might not be great. Dac override is
triggered when the process permissions don't match with the owner group and
mode of a file. Dan Walsh has info on it here:
http://danwalsh.livejournal.com/69478.html
> >
> >
> > I checked that, but still not find a good method to know which
file/operation caused that denials.
> >>
> >> I would try and add an auditallow statement(s) to find what file it's
accessing that might be causing this, and then adjust the dac permissions
accordingly.
> >
> > After I added following rule:
> > auditallow logd self:capability dac_override;
>
> No I meant on file types, something like this:
> auditallow logd file_type:{file dir} *;
>
> I'm typing that from memory from a smart phone so it might not be 100%
correct. But you want to get it to show you what files it's accessing, you
already know about DAC override.
Also probably want to do fs_type on the target type as well since it might
be syscall or something like that.
>
> Additionally uou could enable the per auacall audti subsystem but its a
little bit of work in the kernel to do that.
Mangled, I meant per syscall audit system.
>
> >
> > I got following message in console log:
> > [ 7.076059] audit: type=1400 audit(10.759:3): avc: denied {
dac_override } for pid=1734 comm="logd" capability=1 scontext=u:r:logd:s0
tcontext=u:r:logd:s0 tclass=capability permissive=1
> > [ 7.093377] audit: type=1400 audit(10.775:4): avc: granted {
dac_override } for pid=1734 comm="logd" capability=1 scontext=u:r:logd:s0
tcontext=u:r:logd:s0 tclass=capability
> > [ 7.107007] (stk) :ldisc installation timeout
> > [ 7.114174] (stk) :ldisc_install = 0
> > [ 7.114176] audit: type=1400 audit(10.795:5): avc: granted {
dac_override } for pid=1734 comm="logd" capability=1 scontext=u:r:logd:s0
tcontext=u:r:logd:s0 tclass=capability
> > [ 7.149786] logd.auditd: start
> > [ 7.152983] logd.klogd: 7110154165
> > [ 7.193079] logd.auditd: policy loaded
> > [ 7.199590] logd.auditd: integrity enforcement suppressed; not
rebooting
> >
> > Seems no clue on which file caused that denials.
> >
> > Do you have any comments on the output above?
> >
> > Thanks,
> > Yongqin Liu
> >
> >>
> >> On Jun 16, 2016 09:50, "YongQin Liu" <yongqin....@linaro.org> wrote:
> >>>
> >>> Hi, ALL
> >>>
> >>> I am playing the AOSP master with hikey board, and I get the
following dac_override avc denial on logd command:
> >>>
> >>> avc: denied { dac_override } for pid=1763 comm="logd" capability=1
scontext=u:r:logd:s0 tcontext=u:r:logd:s0 tclass=capability permissive=1
> >>>
> >>> I built the same source for Nexus9 board, and I did not see such
dac_override denial on logd with that Nexus9 board.
> >>>
> >>> Searched "logd" in he device projects for hikey and Nexus9, but did
not find any clue on that
> >>> why I got the dac_override avc denial on logd with the hikey build,
> >>>
> >>>
> >>> Referenced the document here:
> >>>
http://source.android.com/security/selinux/device-policy.html#granting_the_dac_override_capability
> >>>
> >>> But still have no idea how to change to eliminate the dac_override
denial for logd command.
> >>>
> >>> Do you have any idea on what happens there, or where to check on it?
> >>>
> >>> Thanks in advance!
> >>>
> >>> --
> >>> Best Regards,
> >>> Yongqin Liu
> >>> ---------------------------------------------------------------
> >>> #mailing list
> >>> linaro-andr...@lists.linaro.org
> >>> http://lists.linaro.org/mailman/listinfo/linaro-android
> >>>
> >>> _______________________________________________
> >>> Seandroid-list mailing list
> >>> Seandroid-list@tycho.nsa.gov
> >>> To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
> >>> To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
> >
> >
> >
> >
> > --
> > Best Regards,
> > Yongqin Liu
> > ---------------------------------------------------------------
> > #mailing list
> > linaro-andr...@lists.linaro.org
> > http://lists.linaro.org/mailman/listinfo/linaro-android
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
