Re: /data/misc contents are unlabeled

2018-03-09 Thread kiran mardi 
Hi Stephen,

The issue I am mentioning is not 100% reproducible. We are seeing this very
rarely. So don't know how to get this reproduce. Anyway will try to get
more details on the issue and get back to u.

Was also thinking what else can be added to address this.

Thanks for your help.

On 09-Mar-2018 6:41 PM, "Stephen Smalley"  wrote:

> On 03/09/2018 02:55 AM, kiran mardi wrote:
> > sh-3.2# toybox restorecon -nv /data/misc/dhcp
> >
> > [  158.754324] type=1400 audit(946742542.500:16): avc: denied { search }
> for pid=983 comm="toybox" name="security" dev="mmcblk0p7" ino=186945
> scontext=u:r:shell:s0 tcontext=u:object_r:security_file:s0 tclass=dir
> permissive=1
> >
> > SELinux: Loaded file_contexts contexts from /file_contexts.bin.[
> 158.776446] type=1400 audit(946742542.520:17): avc: denied { getattr } for
> pid=983 comm="toybox" path="/data/misc/dhcp" dev="mmcblk0p7" ino=406419
> scontext=u:r:shell:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
> permissive=1
> >
> >
> >
> > SELinux:  Relabeling /data/misc/dhcp from u:object_r:unlabeled:s0 to
> u:object_r:dhcp_data_file:s0.
>
> Ok, so you have a valid context for /data/misc/dhcp in your file_contexts,
> which should have been used if the restorecon_recursive /data executed.
>
> Did your file_contexts configuration change between the old and new
> versions?  restorecon_recursive /data will skip the tree walk if
> file_contexts has not changed since the last time it was run; this is based
> on a separate security.restorecon_last xattr set on the /data directory
> with the SHA1 hash of the /file_contexts.bin file.
>
> Also, what was the context on /data/misc/dhcp in the prior version from
> which you are upgrading?  Was it the same or different?  If different, what
> was it?
>
>

Re: /data/misc contents are unlabeled

2018-03-09 Thread Stephen Smalley 
On 03/09/2018 08:13 AM, Stephen Smalley wrote:
> On 03/09/2018 02:55 AM, kiran mardi wrote:
>>     sh-3.2# toybox restorecon -nv /data/misc/dhcp
>>
>> [  158.754324] type=1400 audit(946742542.500:16): avc: denied { search } for 
>> pid=983 comm="toybox" name="security" dev="mmcblk0p7" ino=186945 
>> scontext=u:r:shell:s0 tcontext=u:object_r:security_file:s0 tclass=dir 
>> permissive=1
>>
>> SELinux: Loaded file_contexts contexts from /file_contexts.bin.[  
>> 158.776446] type=1400 audit(946742542.520:17): avc: denied { getattr } for 
>> pid=983 comm="toybox" path="/data/misc/dhcp" dev="mmcblk0p7" ino=406419 
>> scontext=u:r:shell:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir 
>> permissive=1
>>
>>  
>>
>> SELinux:  Relabeling /data/misc/dhcp from u:object_r:unlabeled:s0 to 
>> u:object_r:dhcp_data_file:s0.
> 
> Ok, so you have a valid context for /data/misc/dhcp in your file_contexts, 
> which should have been used if the restorecon_recursive /data executed.
> 
> Did your file_contexts configuration change between the old and new versions? 
>  restorecon_recursive /data will skip the tree walk if file_contexts has not 
> changed since the last time it was run; this is based on a separate 
> security.restorecon_last xattr set on the /data directory with the SHA1 hash 
> of the /file_contexts.bin file.
> 
> Also, what was the context on /data/misc/dhcp in the prior version from which 
> you are upgrading?  Was it the same or different?  If different, what was it?

Also, were there any interesting log messages on the first boot after the 
upgrade (i.e. when we would expect the restorecon_recursive to execute)?  Look 
for any logcat or dmesg messages with SELinux: or avc: prefixes.