Thanks a lot Stephen and Ravi. I am using Android 8.1 AOSP and the root
cause is what Stephen pointed about platform private sepolicy not being
exported to non-platform policy. We will modify the application to not use
the global tmpfs.
Regards,
Sameer Joshi
On Fri, Sep 14, 2018 at 8:37 PM Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/14/2018 04:31 AM, Sameer Joshi wrote:
> > Hi ,
> >
> > We are trying to have our own way of generating debug report and for
> > that we are running a script from settings app , after "Generate report"
> > is pressed. We are using Android 8.1 for this scenario.
> >
> > In this case , we are trying to create new files in "/tmp" directory.
>
> Use of a global /tmp is insecure. Create files in the app's data
> directory instead.
>
> >
> > We get the following denials:
> >
> > 09-14 12:24:01.174 4592 4592 W media_report.sh: type=1400
> > audit(0.0:53): avc: denied { create } for name="audio_result"
> > scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_tmpfs:s0
> > tclass=file permissive=0
> > 09-14 12:24:01.174 4592 4592 W media_report.sh: type=1400
> > audit(0.0:54): avc: denied { create } for name="audio_params"
> > scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_tmpfs:s0
> > tclass=file permissive=0
> >
> > Using audit2allow , gives the following rules:
> > #============= system_app ==============
> > allow system_app system_app_tmpfs:file create;
> >
> > Adding this rule into system_app.te gives following error during
> > compilation.
> >
> > FAILED:
> >
> out/target/product/brio/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_raw.cil
>
> >
> > /bin/bash -c "(ASAN_OPTIONS=detect_leaks=0
> > out/host/linux-x86/bin/checkpolicy -C -M -c 30 -o
> >
> out/target/product/brio/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_raw.cil.tmp
>
> >
> out/target/product/brio/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy.conf
>
> > ) && (grep -Fxv -f
> >
> out/target/product/brio/obj/FAKE/selinux_policy_intermediates/reqd_policy_mask.cil
>
> >
> out/target/product/brio/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_raw.cil.tmp
>
> > >
> >
> out/target/product/brio/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_raw.cil
>
> > )"
> > *device/avaya/brio/sepolicy/system_app.te:38:ERROR 'unknown type
> > system_app_tmpfs' at token ';' on line 26169:*
> > *#============= system_app ==============*
> > *allow system_app system_app_tmpfs:file create;*
> > checkpolicy: error(s) encountered while parsing configuration
> >
> > Can anyone help to know how to solve this problem?
>
> I think this is due to system_app_tmpfs being defined as part of the
> platform private sepolicy, and thus not being exported to the
> non-platform policy. Regardless, you shouldn't be allowing this.
>
> >
> > Regards,
> >
> > Sameer Joshi
> >
> >
> >
> >
> > _______________________________________________
> > Seandroid-list mailing list
> > Seandroid-list@tycho.nsa.gov
> > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
> > To get help, send an email containing "help" to
> seandroid-list-requ...@tycho.nsa.gov.
> >
>
>
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
