Success - SEAndroid on Galaxy Nexus maguro

Success - SEAndroid on Galaxy Nexus maguro

[Palarz Thomas-DCJ738]

[-- Attachment #1: Type: text/plain, Size: 1135 bytes --]

All,

I've gotten SEAndroid 4.0.3 running on a Samsung Galaxy Nexus maguro (GSM). I've seen posts about it running on Galaxy Nexus already, but I assume that was the CDMA version toro. Thought I'd my 2 cents and get it going on the GSM handset.

I did have to manually(-ish) build the zImage in order for mkbootimg build dependency to be satisfied and didn't see that on the wiki. What's the reasoning for creating a separate project for the omap tuna kernel btw? I assume it's because the Android build system is using a prebuilt kernel for the recovery image and we wanted an SELinux-aware kernel in place of it?

I haven't successfully turned enforcing on yet, but I have some avc denials. I'll try to run audit2allow tonight. The new SEAndroid Manager app with the avc log file save capability is really nifty ;)

Has anyone been trying to get SLIDE/CDS working with the SEAndroid policy? My last attempt at it didn't work out because the SEAndroid policy isn't being compiled in the Referency Policy format as far as I can tell, but I haven't spent significant amounts of time on it either to be honest.

Cheers!
-Tom

[-- Attachment #2: Type: text/html, Size: 1515 bytes --]

Re: Success - SEAndroid on Galaxy Nexus maguro

[Stephen Smalley]

On Tue, 2012-04-24 at 14:13 +0000, Palarz Thomas-DCJ738 wrote:
> All,
> 
> I've gotten SEAndroid 4.0.3 running on a Samsung Galaxy Nexus maguro
> (GSM). I've seen posts about it running on Galaxy Nexus already, but I
> assume that was the CDMA version toro. Thought I'd my 2 cents and get
> it going on the GSM handset.
> 
> I did have to manually(-ish) build the zImage in order for mkbootimg
> build dependency to be satisfied and didn't see that on the wiki.
> What's the reasoning for creating a separate project for the omap tuna
> kernel btw? I assume it's because the Android build system is using a
> prebuilt kernel for the recovery image and we wanted an SELinux-aware
> kernel in place of it?

Correct.  We have a slightly modified kernel/omap tree that enables
SELinux and its dependencies in the kernel config and adds SELinux
permission checking for the Binder.  Then we have a slightly modified
device/samsung/tuna tree that uses our kernel rather than the prebuilt
one, defines HAVE_SELINUX := true in the BoardConfig.mk for the
userspace build, modifies init.tuna.rc, and adds the sepolicy.* files
for the tuna-specific policy definitions.

> I haven't successfully turned enforcing on yet, but I have some avc
> denials. I'll try to run audit2allow tonight. The new SEAndroid
> Manager app with the avc log file save capability is really nifty ;)

You might want to post the denials first for review.  Often the
audit2allow output is not what you want; instead you may simply need to
label some files correctly to get everything working cleanly.

> Has anyone been trying to get SLIDE/CDS working with the SEAndroid
> policy? My last attempt at it didn't work out because the SEAndroid
> policy isn't being compiled in the Referency Policy format as far as I
> can tell, but I haven't spent significant amounts of time on it either
> to be honest.

I briefly experimented with SLIDE as well (as you note, it doesn't work
presently) and have asked the SLIDE developers for more information
about its specific dependencies on refpolicy.  I suspect we would at
least need to introduce the same kind of inline xml documentation for
our macros so that they can be recognized by SLIDE, and we might have to
follow refpolicy's directory layout and naming conventions if we want
SLIDE to work seamlessly.  Might also need some equivalents to
refpolicy's build.conf and modules.conf files.  

I'm not sure though how critical it is, as the SE Android policy is
quite small and simple so it isn't clear how much you would gain from an
IDE.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Success - SEAndroid on Galaxy Nexus maguro

[Palarz Thomas-DCJ738]

[-- Attachment #1: Type: text/plain, Size: 3547 bytes --]

Great info. Thanks.

The MDD aspects of CDS are appealing, though this is mostly for my own kind of experimentation at the moment. What about for MLS kind of solutions? Is that policy also expected to remain small?

My log file from SEAndroidManager is attached. Any help would be appreciated. This is a vanilla build with no modifications of my own. I am running ClockworkMod as the recovery image. I have tried installing su and Superuser.apk so that I can get busybox on there, but it's not in the build I am running right now. It could be just a config or build kind of thing that I did wrong, but my first guess is that it is maguro specific.

-Tom
________________________________________
From: Stephen Smalley [sds@tycho.nsa.gov]
Sent: Tuesday, April 24, 2012 9:48 AM
To: Palarz Thomas-DCJ738
Cc: selinux@tycho.nsa.gov
Subject: Re: Success - SEAndroid on Galaxy Nexus maguro

On Tue, 2012-04-24 at 14:13 +0000, Palarz Thomas-DCJ738 wrote:
> All,
>
> I've gotten SEAndroid 4.0.3 running on a Samsung Galaxy Nexus maguro
> (GSM). I've seen posts about it running on Galaxy Nexus already, but I
> assume that was the CDMA version toro. Thought I'd my 2 cents and get
> it going on the GSM handset.
>
> I did have to manually(-ish) build the zImage in order for mkbootimg
> build dependency to be satisfied and didn't see that on the wiki.
> What's the reasoning for creating a separate project for the omap tuna
> kernel btw? I assume it's because the Android build system is using a
> prebuilt kernel for the recovery image and we wanted an SELinux-aware
> kernel in place of it?

Correct.  We have a slightly modified kernel/omap tree that enables
SELinux and its dependencies in the kernel config and adds SELinux
permission checking for the Binder.  Then we have a slightly modified
device/samsung/tuna tree that uses our kernel rather than the prebuilt
one, defines HAVE_SELINUX := true in the BoardConfig.mk for the
userspace build, modifies init.tuna.rc, and adds the sepolicy.* files
for the tuna-specific policy definitions.

> I haven't successfully turned enforcing on yet, but I have some avc
> denials. I'll try to run audit2allow tonight. The new SEAndroid
> Manager app with the avc log file save capability is really nifty ;)

You might want to post the denials first for review.  Often the
audit2allow output is not what you want; instead you may simply need to
label some files correctly to get everything working cleanly.

> Has anyone been trying to get SLIDE/CDS working with the SEAndroid
> policy? My last attempt at it didn't work out because the SEAndroid
> policy isn't being compiled in the Referency Policy format as far as I
> can tell, but I haven't spent significant amounts of time on it either
> to be honest.

I briefly experimented with SLIDE as well (as you note, it doesn't work
presently) and have asked the SLIDE developers for more information
about its specific dependencies on refpolicy.  I suspect we would at
least need to introduce the same kind of inline xml documentation for
our macros so that they can be recognized by SLIDE, and we might have to
follow refpolicy's directory layout and naming conventions if we want
SLIDE to work seamlessly.  Might also need some equivalents to
refpolicy's build.conf and modules.conf files.

I'm not sure though how critical it is, as the SE Android policy is
quite small and simple so it isn't clear how much you would gain from an
IDE.

--
Stephen Smalley
National Security Agency





[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: avc_denied_logs_apr_24__2012_2_31_12_pm.log --]
[-- Type: text/x-log; name="avc_denied_logs_apr_24__2012_2_31_12_pm.log", Size: 14606 bytes --]

<5>[ 3451.713867] type=1400 audit(1335289464.923:229): avc:  denied  { write } for  pid=477 comm="message" path="/dev/ttyO3" dev=tmpfs ino=2332 scontext=u:r:nfc:s0 tcontext=u:object_r:device:s0 tclass=chr_file

<5>[ 3451.767578] type=1400 audit(1335289464.977:230): avc:  denied  { read } for  pid=338 comm="putmethod.latin" path=2F6465762F6173686D656D2F64616C76696B2D4C696E656172416C6C6F63202864656C6574656429 dev=tmpfs ino=2725 scontext=u:r:trusted_app:s0:c16 tcontext=u:object_r:init_tmpfs:s0 tclass=file

<5>[ 3452.717132] type=1400 audit(1335289465.923:231): avc:  denied  { read } for  pid=456 comm="reader" path="/dev/ttyO3" dev=tmpfs ino=2332 scontext=u:r:nfc:s0 tcontext=u:object_r:device:s0 tclass=chr_file

<5>[ 3453.827087] type=1400 audit(1335289467.032:232): avc:  denied  { receive } for  pid=387 comm=42696E646572205468726561642023 scontext=u:r:trusted_app:s0:c17 tcontext=u:r:init:s0 tclass=binder

<5>[ 3454.841766] type=1400 audit(1335289468.048:233): avc:  denied  { receive } for  pid=208 comm=42696E646572205468726561642023 scontext=u:r:system_app:s0 tcontext=u:r:init:s0 tclass=binder

<5>[ 3454.843017] type=1400 audit(1335289468.048:234): avc:  denied  { open } for  pid=558 comm="android_manager" name="egl.cfg" dev=mmcblk0p10 ino=20988 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 3454.843597] type=1400 audit(1335289468.048:235): avc:  denied  { execute } for  pid=558 comm="android_manager" path="/system/lib/egl/libGLES_android.so" dev=mmcblk0p10 ino=20989 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 3529.361602] type=1400 audit(1335289542.571:236): avc:  denied  { write } for  pid=477 comm="message" path="/dev/ttyO3" dev=tmpfs ino=2332 scontext=u:r:nfc:s0 tcontext=u:object_r:device:s0 tclass=chr_file

<5>[ 3530.365051] type=1400 audit(1335289543.571:237): avc:  denied  { read } for  pid=456 comm="reader" path="/dev/ttyO3" dev=tmpfs ino=2332 scontext=u:r:nfc:s0 tcontext=u:object_r:device:s0 tclass=chr_file

<5>[ 3922.580596] type=1400 audit(1335289935.786:238): avc:  denied  { execute } for  pid=622 comm="m.android.email" path="/system/lib/egl/libGLES_android.so" dev=mmcblk0p10 ino=20989 scontext=u:r:trusted_app:s0:c12 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 3922.913543] type=1400 audit(1335289936.122:239): avc:  denied  { read } for  pid=338 comm="putmethod.latin" path="/system/app/LatinIME.apk" dev=mmcblk0p10 ino=27927 scontext=u:r:trusted_app:s0:c16 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 3923.100738] type=1400 audit(1335289936.310:240): avc:  denied  { search } for  pid=338 comm="putmethod.latin" name="/" dev=mmcblk0p10 ino=2 scontext=u:r:trusted_app:s0:c16 tcontext=u:object_r:unlabeled:s0 tclass=dir

<5>[ 3923.101104] type=1400 audit(1335289936.310:241): avc:  denied  { getattr } for  pid=338 comm="putmethod.latin" path="/system/lib/libjni_latinime.so" dev=mmcblk0p10 ino=21085 scontext=u:r:trusted_app:s0:c16 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 3923.231292] type=1400 audit(1335289936.435:242): avc:  denied  { receive } for  pid=196 comm="system_server" scontext=u:r:trusted_app:s0:c16 tcontext=u:r:init:s0 tclass=binder

<5>[ 3923.234191] type=1400 audit(1335289936.443:243): avc:  denied  { call } for  pid=338 comm="putmethod.latin" scontext=u:r:trusted_app:s0:c16 tcontext=u:r:init:s0 tclass=binder

<5>[ 3923.270019] type=1400 audit(1335289936.474:244): avc:  denied  { open } for  pid=338 comm="putmethod.latin" name="gralloc.omap4.so" dev=mmcblk0p10 ino=106 scontext=u:r:trusted_app:s0:c16 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 3923.270446] type=1400 audit(1335289936.474:245): avc:  denied  { execute } for  pid=338 comm="putmethod.latin" path="/system/vendor/lib/hw/gralloc.omap4.so" dev=mmcblk0p10 ino=106 scontext=u:r:trusted_app:s0:c16 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 3994.241394] type=1400 audit(1335290007.450:246): avc:  denied  { call } for  pid=1141 comm="re-initialized>" scontext=u:r:trusted_app:s0:c7 tcontext=u:r:init:s0 tclass=binder

<5>[ 3994.262359] type=1400 audit(1335290007.466:247): avc:  denied  { receive } for  pid=111 comm="servicemanager" scontext=u:r:trusted_app:s0:c7 tcontext=u:r:init:s0 tclass=binder

<5>[ 3994.265624] type=1400 audit(1335290007.474:248): avc:  denied  { getattr } for  pid=1141 comm=".android.camera" path="/system/framework/framework-res.apk" dev=mmcblk0p10 ino=20969 scontext=u:r:trusted_app:s0:c7 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 3994.266540] type=1400 audit(1335290007.474:249): avc:  denied  { read } for  pid=1141 comm=".android.camera" name="Camera.apk" dev=mmcblk0p10 ino=27913 scontext=u:r:trusted_app:s0:c7 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 3994.266845] type=1400 audit(1335290007.474:250): avc:  denied  { open } for  pid=1141 comm=".android.camera" name="Camera.apk" dev=mmcblk0p10 ino=27913 scontext=u:r:trusted_app:s0:c7 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 3994.305023] type=1400 audit(1335290007.513:251): avc:  denied  { read } for  pid=1141 comm=".android.camera" name="lib" dev=mmcblk0p10 ino=99 scontext=u:r:trusted_app:s0:c7 tcontext=u:object_r:unlabeled:s0 tclass=dir

<5>[ 3994.305297] type=1400 audit(1335290007.513:252): avc:  denied  { getattr } for  pid=1141 comm=".android.camera" path="/system/vendor/lib" dev=mmcblk0p10 ino=99 scontext=u:r:trusted_app:s0:c7 tcontext=u:object_r:unlabeled:s0 tclass=dir

<5>[ 3994.317565] type=1400 audit(1335290007.521:253): avc:  denied  { read } for  pid=1141 comm=".android.camera" path=2F6465762F6173686D656D2F64616C76696B2D4C696E656172416C6C6F63202864656C6574656429 dev=tmpfs ino=2725 scontext=u:r:trusted_app:s0:c7 tcontext=u:object_r:init_tmpfs:s0 tclass=file

<5>[ 3994.892639] type=1400 audit(1335290008.099:254): avc:  denied  { execute } for  pid=1141 comm=".android.camera" path="/system/lib/egl/libGLES_android.so" dev=mmcblk0p10 ino=20989 scontext=u:r:trusted_app:s0:c7 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 3995.032287] type=1400 audit(1335290008.239:255): avc:  denied  { transfer } for  pid=1141 comm=".android.camera" scontext=u:r:trusted_app:s0:c7 tcontext=u:r:init:s0 tclass=binder

<5>[ 4052.371612] type=1400 audit(1335290065.575:256): avc:  denied  { search } for  pid=389 comm="ndroid.launcher" name="/" dev=mmcblk0p10 ino=2 scontext=u:r:trusted_app:s0:c17 tcontext=u:object_r:unlabeled:s0 tclass=dir

<5>[ 4075.416473] type=1400 audit(1335290088.622:257): avc:  denied  { getattr } for  pid=457 comm="ndroid.settings" path="/system/framework/framework-res.apk" dev=mmcblk0p10 ino=20969 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 4075.429534] type=1400 audit(1335290088.638:258): avc:  denied  { read } for  pid=457 comm="ndroid.settings" path="/system/framework/framework-res.apk" dev=mmcblk0p10 ino=20969 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 4075.548645] type=1400 audit(1335290088.755:259): avc:  denied  { open } for  pid=457 comm="ndroid.settings" name="Roboto-Bold.ttf" dev=mmcblk0p10 ino=20950 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 4075.574401] type=1400 audit(1335290088.779:260): avc:  denied  { execute } for  pid=457 comm="ndroid.settings" path="/system/lib/egl/libGLES_android.so" dev=mmcblk0p10 ino=20989 scontext=u:r:system_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 5058.306610] type=1400 audit(1335291071.515:261): avc:  denied  { getattr } for  pid=323 comm="d.process.media" path="/system/framework/framework-res.apk" dev=mmcblk0p10 ino=20969 scontext=u:r:trusted_app:s0:c11 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 5166.818725] type=1400 audit(1335291180.023:262): avc:  denied  { call } for  pid=275 comm="ndroid.systemui" scontext=u:r:system_app:s0 tcontext=u:r:init:s0 tclass=binder

<5>[ 5238.105255] type=1400 audit(1335291251.312:263): avc:  denied  { receive } for  pid=411 comm=42696E646572205468726561642023 scontext=u:r:system_app:s0 tcontext=u:r:init:s0 tclass=binder

<5>[ 5240.590423] type=1400 audit(1335291253.796:264): avc:  denied  { call } for  pid=389 comm="ndroid.launcher" scontext=u:r:trusted_app:s0:c17 tcontext=u:r:init:s0 tclass=binder

<5>[ 5247.177795] type=1400 audit(1335291260.382:265): avc:  denied  { receive } for  pid=387 comm=42696E646572205468726561642023 scontext=u:r:trusted_app:s0:c17 tcontext=u:r:init:s0 tclass=binder

<5>[ 5268.270812] type=1400 audit(1335291281.476:266): avc:  denied  { read } for  pid=1517 comm="adbd" name="sh" dev=mmcblk0p10 ino=7246 scontext=u:r:adbd:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file

<5>[ 5268.271270] type=1400 audit(1335291281.476:267): avc:  denied  { execute } for  pid=1517 comm="adbd" name="mksh" dev=mmcblk0p10 ino=7020 scontext=u:r:adbd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 5268.271820] type=1400 audit(1335291281.476:268): avc:  denied  { read open } for  pid=1517 comm="adbd" name="mksh" dev=mmcblk0p10 ino=7020 scontext=u:r:adbd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 5268.272705] type=1400 audit(1335291281.476:269): avc:  denied  { execute_no_trans } for  pid=1517 comm="adbd" path="/system/bin/mksh" dev=mmcblk0p10 ino=7020 scontext=u:r:adbd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 5268.274536] type=1400 audit(1335291281.484:270): avc:  denied  { getattr } for  pid=1517 comm="sh" path="/system/lib/libc.so" dev=mmcblk0p10 ino=21038 scontext=u:r:adbd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 5268.279083] type=1400 audit(1335291281.484:271): avc:  denied  { read write } for  pid=1517 comm="sh" name="tty" dev=tmpfs ino=2493 scontext=u:r:adbd:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file

<5>[ 5268.279663] type=1400 audit(1335291281.484:272): avc:  denied  { open } for  pid=1517 comm="sh" name="tty" dev=tmpfs ino=2493 scontext=u:r:adbd:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file

<5>[ 5268.280120] type=1400 audit(1335291281.484:273): avc:  denied  { ioctl } for  pid=1517 comm="sh" path="/dev/tty" dev=tmpfs ino=2493 scontext=u:r:adbd:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file

<5>[ 5268.615447] type=1400 audit(1335291281.820:274): avc:  denied  { getattr } for  pid=1523 comm="ls" path="/charger" dev=rootfs ino=131 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=file

<5>[ 5268.616577] type=1400 audit(1335291281.820:275): avc:  denied  { getattr } for  pid=1523 comm="ls" path="/dev" dev=tmpfs ino=2302 scontext=u:r:adbd:s0 tcontext=u:object_r:device:s0 tclass=dir

<5>[ 5268.617401] type=1400 audit(1335291281.820:276): avc:  denied  { getattr } for  pid=1523 comm="ls" path="/factory" dev=mmcblk0p3 ino=2 scontext=u:r:adbd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir

<5>[ 5268.619873] type=1400 audit(1335291281.828:277): avc:  denied  { getattr } for  pid=1523 comm="ls" path="/selinux" dev=selinuxfs ino=1 scontext=u:r:adbd:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir

<5>[ 5270.402526] type=1400 audit(1335291283.609:278): avc:  denied  { search } for  pid=1517 comm="sh" name="/" dev=fuse ino=1 scontext=u:r:adbd:s0 tcontext=u:object_r:sdcard:s0 tclass=dir

<5>[ 5270.781646] type=1400 audit(1335291283.984:279): avc:  denied  { getattr } for  pid=1526 comm="ls" path="/mnt/sdcard" dev=fuse ino=1 scontext=u:r:adbd:s0 tcontext=u:object_r:sdcard:s0 tclass=dir

<5>[ 5270.782226] type=1400 audit(1335291283.992:280): avc:  denied  { read } for  pid=1526 comm="ls" name="/" dev=fuse ino=1 scontext=u:r:adbd:s0 tcontext=u:object_r:sdcard:s0 tclass=dir

<5>[ 5270.782775] type=1400 audit(1335291283.992:281): avc:  denied  { open } for  pid=1526 comm="ls" name="/" dev=fuse ino=1 scontext=u:r:adbd:s0 tcontext=u:object_r:sdcard:s0 tclass=dir

<5>[ 5270.791839] type=1400 audit(1335291284.000:282): avc:  denied  { getattr } for  pid=1526 comm="ls" path="/mnt/sdcard/avc_denied_logs_apr_24__2012_11_43_40_am.log" dev=fuse ino=11347048 scontext=u:r:adbd:s0 tcontext=u:object_r:sdcard:s0 tclass=file

<5>[ 5302.845581] type=1400 audit(1335291316.054:283): avc:  denied  { read } for  pid=1536 comm="adbd" name="avc_denied_logs_apr_24__2012_11_43_40_am.log" dev=fuse ino=11347048 scontext=u:r:adbd:s0 tcontext=u:object_r:sdcard:s0 tclass=file

<5>[ 5302.846160] type=1400 audit(1335291316.054:284): avc:  denied  { open } for  pid=1536 comm="adbd" name="avc_denied_logs_apr_24__2012_11_43_40_am.log" dev=fuse ino=11347048 scontext=u:r:adbd:s0 tcontext=u:object_r:sdcard:s0 tclass=file

<5>[ 5840.567321] type=1400 audit(1335291853.773:285): avc:  denied  { read } for  pid=1655 comm="adbd" name="sepolicy.24" dev=rootfs ino=158 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=file

<5>[ 5840.567749] type=1400 audit(1335291853.773:286): avc:  denied  { open } for  pid=1655 comm="adbd" name="sepolicy.24" dev=rootfs ino=158 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=file

<5>[ 5936.634368] type=1400 audit(1335291949.843:287): avc:  denied  { sendto } for  pid=251 comm="WifiStateMachin" path="/dev/socket/wpa_wlan0" scontext=u:r:system:s0 tcontext=u:r:init:s0 tclass=unix_dgram_socket

<5>[ 5967.371276] type=1400 audit(1335291980.578:288): avc:  denied  { read } for  pid=227 comm="WindowManagerPo" path=2F6465762F6173686D656D2F64616C76696B2D68656170202864656C6574656429 dev=tmpfs ino=2720 scontext=u:r:system:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file

<5>[ 6771.653778] type=1400 audit(1335292784.858:289): avc:  denied  { getattr } for  pid=714 comm="ndroid.calendar" path="/system/framework/framework-res.apk" dev=mmcblk0p10 ino=20969 scontext=u:r:trusted_app:s0:c5 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 6771.658660] type=1400 audit(1335292785.044:290): avc:  denied  { getattr } for  pid=605 comm="droid.deskclock" path="/system/framework/framework-res.apk" dev=mmcblk0p10 ino=20969 scontext=u:r:trusted_app:s0:c10 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 6776.683288] type=1400 audit(1335292790.062:291): avc:  denied  { getattr } for  pid=588 comm="viders.calendar" path="/system/framework/framework-res.apk" dev=mmcblk0p10 ino=20969 scontext=u:r:trusted_app:s0:c6 tcontext=u:object_r:unlabeled:s0 tclass=file

<5>[ 7844.944458] type=1400 audit(1335293858.323:292): avc:  denied  { call } for  pid=323 comm="d.process.media" scontext=u:r:trusted_app:s0:c11 tcontext=u:r:init:s0 tclass=binder

<5>[ 9844.206542] type=1400 audit(1335295857.589:293): avc:  denied  { read } for  pid=2207 comm="Thread-53" path=2F6465762F6173686D656D2F64616C76696B2D68656170202864656C6574656429 dev=tmpfs ino=2720 scontext=u:r:system_app:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file

RE: Success - SEAndroid on Galaxy Nexus maguro

[Stephen Smalley]

On Tue, 2012-04-24 at 19:40 +0000, Palarz Thomas-DCJ738 wrote:
> Great info. Thanks.
> 
> The MDD aspects of CDS are appealing, though this is mostly for my own
> kind of experimentation at the moment. What about for MLS kind of
> solutions? Is that policy also expected to remain small?

Policy size is primarily a function of the number of domains and types
in the system, which isn't affected by MLS vs non-MLS.  And we're
already enabling the MLS engine and using categories for app isolation.
You could explicitly assign levels via a different seapp_contexts
configuration; the rest of the policy wouldn't change.

> My log file from SEAndroidManager is attached. Any help would be appreciated. This is a vanilla build with no modifications of my own. I am running ClockworkMod as the recovery image. I have tried installing su and Superuser.apk so that I can get busybox on there, but it's not in the build I am running right now. It could be just a config or build kind of thing that I did wrong, but my first guess is that it is maguro specific.

As expected, it appears you have some labeling problems:
- You have /dev/tty03 labeled with the generic device type rather than
the nfc_device type. Did you use our device/samsung/tuna project with
its sepolicy.fc file?  That includes an entry for /dev/tty03 to label it
as nfc_device, which should have been appended to your file_contexts
configuration in the root directory for your boot image when the policy
was built.

- Some process is running in the init domain rather than in its own
domain, triggering various denials when other processes try to interact
with it.  ps -Z output would be helpful.  This might just be a file
labeling problem if its binary in /system/bin is not correctly labeled.

- You have various files that are unlabeled (note the unlabeled type in
their tcontext), e.g. /system/lib/egl/libGLES_android.so.  How were
those files installed to your system image?  We have modified the
filesystem image building tools (make_ext4fs + mkyaffs2image) and the
recovery console / updater programs to correctly label files when they
are created, but if you are creating them some other way they won't get
labeled.  Probably due to you using ClockworkMod recovery, as that
wouldn't have any awareness of file xattrs.  You can fix them up by
remounting /system read-write and running restorecon on it, or just by
rebuilding the image the normal way and reflashing it.

Once you've resolved labeling problems, we can go back to adding allow
rules, but the labels need to be right first.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.