I wrote a daemon, running as system.
When it tries to open some /proc//stat entry of process PID which using its library, I get this error of SELinux:
type=1400 audit(1464247244.561:530): avc: denied { search } for pid=22968 comm="Binder_3" name="22899" dev="proc" ino=71342 scontext=u:r:system_app:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0
Do I miss some “allow” rule to my daemon?
The error seems unrelated to it (as if ‘system_app’ domain lack permissions, and not my daemon).
How can I fix it?
You should execute
adb shell ps -eZ | grep 22968
command to find the problematic service or app from command line as your app running at the same time. After you find the victim(app) you have to add /external/sepolicy/service_contexts file a SELinux rule for handling the access violation.
Related
I'm trying to use pstore logs on my Poco M3. I tried everything. PSTORE configs are activated on the kernel, pstore module is loaded on the phone, phone is rooted, /sys/fs/pstore is mounted automatically but never contains anything.
130|citrus:/ # dmesg | grep pstore
[ 0.094327] console [pstore-1] enabled
[ 0.094468] pstore: Registered ramoops as persistent store backend
[ 1.065975] pstore: Using compression: deflate
[ 98.052156] type=1400 audit(1654268897.690:3752): avc: denied { read } for comm="ls" name="/" dev="pstore" ino=1197 scontext=u:r:shell:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1
[ 98.052450] type=1400 audit(1654268897.690:3753): avc: denied { open } for comm="ls" path="/sys/fs/pstore" dev="pstore" ino=1197 scontext=u:r:shell:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1
it looks like selinux is blocking ls on /sys/fs/pstore. Is there a way to make it always allow ls on /sys/fs/pstore, even after reboot?
I already added androidboot.selinux=permissive to my boot command line and it's recognized on the phone:
130|citrus:/ # getenforce
Permissive
UPDATE: I just learned that permissive means just logging without blocking, so this is not blocking, my pstore is indeed empty. Am I right?
/sys/fs/pstore is used very specifically - to persistently store crash files - kernel oops and last RAM console. So the fact it doesn't contain anything is actually good, in a way.
To see for yourself - simulate a panic. That'd require writing 'c' to /proc/sysrq_trigger (and possibly enabling that via /proc/sys/kernel/sysrq mask). The device will reboot, and on the boot you will see that the store files appear. (Note this has to be the boot immediately following the crash, because the files are cleared thereafter.
Incidentally - Re:SELinux , those AVC logs you showed are because SELinux denied the "ls" operation itself. That is a mandatory access control protection, which prevents reading the directory (even when it is empty). So that wouldn't change much.
I'm implementing a new feature on Android 10(10.0.0_r30) that has to copy files from the data folder to the system folder at runtime. I've tried to do it via 'su cp' in Zygote, since Zygote runs as root, but then I get this error:
type=1400 audit(0.0:61): avc: denied { getattr } for name="su" dev="dm-0" ino=3160 scontext=u:r:zygote:s0 tcontext=u:object_r:su_exec:s0 tclass=file permissive=1
SELinux is disabled and I have no clue where else to look for the resolution of this error. Also, the system folder is writeable(parameter given to the emulator)
Besides that, can anyone tell me how else I could implement this particular task without rooting?
LogCat shows me this message every second
Any ideas on how to repair this error?
2021-01-17 17:41:08.905 174-174/? E/SELinux: avc: denied { find } for pid=25449 uid=2000 name=car_service scontext=u:r:shell:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0
2021-01-17 17:41:09.903 174-174/? E/SELinux: avc: denied { find } for pid=25455 uid=2000 name=car_service scontext=u:r:shell:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0
This is a SELinux denial. You can ignore it as it won't affect your app. There isn't anything you can do about it (at a user level).
If you are using a custom ROM, the maintainer needs to update their sepolicy.
If you are the maintainer, there are detailed guides on how to understand the denials and write the appropriate the rules for them. One such guide is https://msfjarvis.dev/posts/understanding-and-resolving-selinux-denials-on-android/
If you have any specific doubts in writing the correct rule for this, you can update the question
I had a lot of such errors on my Realme 8i with Android 11 (on a stock firmare) but for another name - tethering:
2023-01-01 15:34:33.134 501 501 system E SELinux : avc: denied { find } for pid=22576
uid=10219 name=tethering scontext=u:r:permissioncontroller_app:s0:c219,c256,c512,c768
tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=0
Disabling Tethering hardware acceleration in Developer options immediately stopped such spam.
I am developing an app for the custom device. My app run from /system/priv-apps
I need to access /data/data for other apps to give a cloud backup functionality.
While searching I came across "android.permission.CONFIRM_FULL_BACKUP" permission but I couldn't find a way to get the content of that particular "/data/data/pkg_name".
I don't think that system apps have su permission so I can't call cp -R src dest
Can anyone tell me regarding this?
Being in the same scenario as you fellow, my system app cant read nothing inside /data/data
Logcat:
W type=1400 audit(0.0:121): avc: denied { read } for name="data" dev="vdc" ino=122881 scontext=u:r:system_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
I have modified bluedroid to include a small unix socket server for reasons.
When client starts, I see that SElinux doesn't like it, and throws out this:
05-26 18:01:41.072 6248-6248/? I/com.gps.uclient: type=1400 audit(0.0:20): avc: denied { connectto } for path=00236264726F696468696472617773727663 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket permissive=1
This socket does not have a real path. How do I add SELinux rule to allow this socket?
Update
Tried audit2allow as mentioned by Google here
Got errors.
gps#gps-HP-ProBook-4540s:~$ audit2allow -i sedeny.txt -p ./andsrc/android-6.0.1_r25/out/target/product/flo/root/sepolicy
libsepol.policydb_read: policydb version 30 does not match my version range 15-29
libsepol.context_from_record: user u is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert u:r:untrusted_app:s0:c512,c768 to sid
I have no real experience in SELinux, so I am pretty much stuck here.
The error was:
policydb version 30 does not match my version...
This error was generated by audit2allow installed with apt-get.
It is resolved by using audit2allow found in the AOSP.