SE Linux: category assignment for binary executable

238 views
Skip to first unread message

Yanyu Zhang

unread,
Jan 2, 2024, 12:10:28 PMJan 2
to android-ndk
As title, I am trying to figure out a way to give a binary executable `create_logs` the right selinux context. I have added the domain transition and permissions, however due to the category of certain objects, avc denials appear as below. 

```
avc: denied { open } for path="/data/user/10/com.android.dreams.basic" dev="vdb" ino=4260006 scontext=u:r:create_logs:s0 tcontext=u:object_r:app_data_file:s0:c39,c256,c522,c768 tclass=dir permissive=1
```
where I have added
```
allow create_logs app_data_file:dir open
```

I realize that create_logs needs to have the same category of app_data_file, but since my executable is started from the rc script, there isn't a graceful way for me to assign the categories without hardcoding. Can I get some help here? 

Florian Mayer

unread,
Jan 2, 2024, 12:25:12 PMJan 2
to andro...@googlegroups.com
(This doesn't sound like an NDK question, but anyway here we go:) I am not 100 % sure, but you might be able to use `typeattribute create_logs mlstrustedsubject;` to fix this.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-ndk...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/8d6c842f-bed9-4e76-bc17-907b177c5501n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages