From: Stephen Smalley <sds@tycho.nsa.gov>
To: Subramani Venkatesh <selinuxv31@gmail.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: CTS failure on SEAndroid Galaxy Nexus
Date: Wed, 07 Mar 2012 09:06:17 -0500 [thread overview]
Message-ID: <1331129177.16697.26.camel@moss-pluto> (raw)
In-Reply-To: <CAD8iFzwjZbUsmPJan6tU-un9goYWxZFbrykqYXr3HU+o6ea1_Q@mail.gmail.com>
On Wed, 2012-03-07 at 08:57 -0500, Subramani Venkatesh wrote:
> Hi Stephen,
>
> Thanks for the response, my comments are inlined
>
> On Wed, Mar 7, 2012 at 8:36 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > On Wed, 2012-03-07 at 08:18 -0500, Subramani Venkatesh wrote:
> >> Hi,
> >> Trying to execute CTS on SEAndroid with security enforce, but I am not
> >> successful getting it working, it crashes at the very beginning with
> >> an exeception, is anyone else seeing the same issue?
> >
> > First, did you make sure that you had no avc messages before going into
> > enforcing mode and even trying to run the CTS? adb shell dmesg | grep
> > avc should yield no output.
> <Subbu>: I fixed most of it, they were couple of them missing, I will
> fix them and try again.
> >
> > Second, make sure you can run the CTS in permissive mode without any
> > difficulties as your baseline.
> <Subbu>: Yes CTS executes in permissive mode without any issues.
> >
> > Third, make sure you enable the android_cts policy boolean before
> > running the CTS. If you have configured the CTS to not reboot the
> > device (set maxTestCount to -1 in repository/host_config.xml), then you
> > can just do this once via adb shell su 0 setsebool android_cts=1.
> > Otherwise, if you want to allow periodic reboots during the CTS, you
> > need to add setsebool android_cts=1 and setenforce 1 to your init.rc or
> > init.<board>.rc file so that it happens on each boot.
> <Subbu>: I did enable android_cts_policy boolean, I shall try changed
> my init.rc file to setenforce 1 all the time.
If you can run the CTS while in permissive mode, then you should do that
again (leaving it in permissive mode, with android_cts=1) and collect up
the denials.
adb shell su 0 cat /proc/kmsg > dmesg.txt
You can then add any necessary rules to cts.te under the boolean.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2012-03-07 14:06 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-07 13:18 CTS failure on SEAndroid Galaxy Nexus Subramani Venkatesh
2012-03-07 13:36 ` Stephen Smalley
2012-03-07 13:57 ` Subramani Venkatesh
2012-03-07 14:06 ` Stephen Smalley [this message]
2012-03-07 14:40 ` Stephen Smalley
2012-03-07 20:28 ` Stephen Smalley
2012-03-08 16:09 ` Subramani Venkatesh
2012-03-08 16:18 ` Stephen Smalley
2012-03-08 16:47 ` Subramani Venkatesh
2012-03-09 20:37 ` Fred Aguirre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1331129177.16697.26.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=selinuxv31@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.