subject:"can't reload sepolicy"

Re: can't reload sepolicy

2016-10-12 Thread Stephen Smalley

On 10/12/2016 05:57 AM, peng fei wrote:
> I want to modify sepolicy and verify it.
> 
> First,
> 
> I download the android4.4.4 sepolicy, and modify file.te and
> file_context, add a new type sec_file.
> #/data/audit
> type sec_file, file_type, data_file_type;
> /data/audit(/.*)?   u:object_r:sec_file:s0
> 
> --
> Second,compile policy.
> 
> m4 -D mls_num_sens=1 -D mls_num_cats=1024 -D target_build_variant=user  
>-s security_classes initial_sids access_vectors global_macros
>  mls_macros mls policy_capabilities te_macros attributes *.te
> roles users initial_sid_contexts fs_use genfs_contexts
> port_contexts > policy.conf
> [pengfei@pengfei seandroid-4.4.4-external-sepolicy]$ checkpolicy -M -c
> 26 -o sepolicy policy.conf
> checkpolicy:  loading policy configuration from policy.conf
> checkpolicy:  policy configuration loaded
> checkpolicy:  writing binary representation (version 26) to sepolicy
> [pengfei@pengfei seandroid-4.4.4-external-sepolicy]$ file
> sepolicysepolicy: SE Linux policy v26 MLS 8 symbols 7 ocons
> --
> Then, I connected with N958St, which is also android4.4.4 .
> I adb push sepolicy to and file_contexts to /data/security/current.
> 
> root@N958St:/data/security/current # setprop sys.init_log_level 6
> root@N958St:/data/security/current # setprop selinux.reload_policy 1
> root@N958St:/data/security/current # dmesg | grep 'SELinux'
> <7>[ 3802.717538] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 3802.718476] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 3802.718497] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 3802.718513] SELinux:  84 classes, 1346 rules
> <6>[ 3802.719963] SELinux:  Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 3802.719978] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 3803.548149] SELinux: Loaded policy from /sepolicy
> <7>[ 4479.980176] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4479.981074] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4479.981095] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 4479.981107] SELinux:  84 classes, 1346 rules
> <6>[ 4479.982588] SELinux:  Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 4479.982603] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 4480.187929] SELinux: Loaded policy from /sepolicy
> <7>[ 4503.340545] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4503.341450] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4503.341467] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 4503.341479] SELinux:  84 classes, 1346 rules
> <6>[ 4503.342907] SELinux:  Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 4503.342921] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 4504.009018] SELinux: Loaded policy from /sepolicy
> <7>[ 4524.927888] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4524.928835] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4524.928854] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 4524.928865] SELinux:  84 classes, 1346 rules
> <6>[ 4524.930319] SELinux:  Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 4524.930333] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 4525.218099] SELinux: Loaded policy from /sepolicy
> <7>[ 6609.537301] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 6609.538209] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 6609.538231] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 6609.538243] SELinux:  84 classes, 1346 rules
> <6>[ 6609.539703] SELinux:  Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 6609.539717] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 6609.828011] SELinux: Loaded policy from /sepolicy
> 
> This is the result. 
> root@N958St:/data # ls -Z 
> drwx-- root root  u:object_r:system_data_file:s0 audit
> 
> ---
> But I want to get the 
> drwx-- root root  u:object_r:sec_file:s0 audit
> 
> ---please help me . Thanks advance.

Android 4.4 disabled reading of selinux policies from /data in commit
72888bfad80641537c8ab2dda2b22779284682d9 to external/libselinux
(included in Android 4.4.3 and 4.4.4).  IIRC, there were problems with
devices being bricked upon an OTA with an old, incompatible /data
policy.  That problem was resolved in Android 5.0 by adding a comparison
of a new /selinux_version file to /data/security/current/selinux_version
and ignoring the /data policy if they did not match, so Android 5.0 and
5.1 once again included the support for loading /data policies. Android
6.0 removed the permissions for loading /data policies in the default
SELinux policy due to concerns about misuse of it, but the code remained
and could be enabled through device-specific policy.

can't reload sepolicy

2016-10-12 Thread peng fei

I want to modify sepolicy and verify it.

First,

I download the android4.4.4 sepolicy, and modify file.te and file_context,
add a new type sec_file.
#/data/audit
type sec_file, file_type, data_file_type;
/data/audit(/.*)?   u:object_r:sec_file:s0

--
Second,compile policy.

m4 -D mls_num_sens=1 -D mls_num_cats=1024 -D target_build_variant=user
 -s security_classes initial_sids access_vectors global_macros  mls_macros
mls policy_capabilities te_macros attributes *.te roles users
initial_sid_contexts fs_use genfs_contexts port_contexts >
policy.conf
[pengfei@pengfei seandroid-4.4.4-external-sepolicy]$ checkpolicy -M -c 26
-o sepolicy policy.conf
checkpolicy:  loading policy configuration from policy.conf
checkpolicy:  policy configuration loaded
checkpolicy:  writing binary representation (version 26) to sepolicy
[pengfei@pengfei seandroid-4.4.4-external-sepolicy]$ file sepolicysepolicy:
SE Linux policy v26 MLS 8 symbols 7 ocons
--
Then, I connected with N958St, which is also android4.4.4 .
I adb push sepolicy to and file_contexts to /data/security/current.

root@N958St:/data/security/current # setprop sys.init_log_level 6
root@N958St:/data/security/current # setprop selinux.reload_policy 1
root@N958St:/data/security/current # dmesg | grep 'SELinux'
<7>[ 3802.717538] SELinux: 512 avtab hash slots, 1346 rules.
<7>[ 3802.718476] SELinux: 512 avtab hash slots, 1346 rules.
<7>[ 3802.718497] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1 sens,
1024 cats
<7>[ 3802.718513] SELinux:  84 classes, 1346 rules
<6>[ 3802.719963] SELinux:  Permission attach_queue in class tun_socket not
defined in policy.
<6>[ 3802.719978] SELinux: the above unknown classes and permissions will
be denied
<14>[ 3803.548149] SELinux: Loaded policy from /sepolicy
<7>[ 4479.980176] SELinux: 512 avtab hash slots, 1346 rules.
<7>[ 4479.981074] SELinux: 512 avtab hash slots, 1346 rules.
<7>[ 4479.981095] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1 sens,
1024 cats
<7>[ 4479.981107] SELinux:  84 classes, 1346 rules
<6>[ 4479.982588] SELinux:  Permission attach_queue in class tun_socket not
defined in policy.
<6>[ 4479.982603] SELinux: the above unknown classes and permissions will
be denied
<14>[ 4480.187929] SELinux: Loaded policy from /sepolicy
<7>[ 4503.340545] SELinux: 512 avtab hash slots, 1346 rules.
<7>[ 4503.341450] SELinux: 512 avtab hash slots, 1346 rules.
<7>[ 4503.341467] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1 sens,
1024 cats
<7>[ 4503.341479] SELinux:  84 classes, 1346 rules
<6>[ 4503.342907] SELinux:  Permission attach_queue in class tun_socket not
defined in policy.
<6>[ 4503.342921] SELinux: the above unknown classes and permissions will
be denied
<14>[ 4504.009018] SELinux: Loaded policy from /sepolicy
<7>[ 4524.927888] SELinux: 512 avtab hash slots, 1346 rules.
<7>[ 4524.928835] SELinux: 512 avtab hash slots, 1346 rules.
<7>[ 4524.928854] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1 sens,
1024 cats
<7>[ 4524.928865] SELinux:  84 classes, 1346 rules
<6>[ 4524.930319] SELinux:  Permission attach_queue in class tun_socket not
defined in policy.
<6>[ 4524.930333] SELinux: the above unknown classes and permissions will
be denied
<14>[ 4525.218099] SELinux: Loaded policy from /sepolicy
<7>[ 6609.537301] SELinux: 512 avtab hash slots, 1346 rules.
<7>[ 6609.538209] SELinux: 512 avtab hash slots, 1346 rules.
<7>[ 6609.538231] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1 sens,
1024 cats
<7>[ 6609.538243] SELinux:  84 classes, 1346 rules
<6>[ 6609.539703] SELinux:  Permission attach_queue in class tun_socket not
defined in policy.
<6>[ 6609.539717] SELinux: the above unknown classes and permissions will
be denied
<14>[ 6609.828011] SELinux: Loaded policy from /sepolicy

This is the result.
root@N958St:/data # ls -Z
drwx-- root root  u:object_r:system_data_file:s0 audit

---
But I want to get the
drwx-- root root  u:object_r:sec_file:s0 audit

---please help me . Thanks advance.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: can't reload sepolicy

can't reload sepolicy

2 matches

Site Navigation

Mail list logo

Footer information