avc denials selinux
974 views
Skip to first unread message
Aishwarya M
Feb 4, 2021, 7:39:14 AM2/4/21
to Anil Kumar Pugalia, inside...@googlegroups.com
Hi,
With regard to SELinux encountered the following error messages. I'm currently going through some resources on modifying sepolicies. But most of the denials were based on file access permissions.
The following are the errors encountered on running custom apps:
[ 28.729002] audit: type=1400 audit(6776.279:4): avc: denied { write } for pid=1 comm="init" name="kpi_values" dev="debugfs" ino=163 scontext=u:r:init:s0 tcontext=u:object_r:debugfs:s0 tclass=file permissive=0
[ 39.574461] type=1400 audit(6787.129:5): avc: denied { entrypoint } for pid=538 comm="init" path="/init.peripheral.props.sh" dev="dm-0" ino=29 scontext=u:r:qti_init_shell:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
[ 43.986927] type=1400 audit(6791.539:25): avc: denied { transfer } for pid=593 comm="devicemanager" scontext=u:r:devicemanager:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
[ 44.151760] type=1400 audit(6791.699:26): avc: denied { write } for pid=39 comm="kdevtmpfs" name="snd" dev="devtmpfs" ino=7556 scontext=u:r:kernel:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
[ 46.061316] type=1400 audit(6793.539:165): avc: denied { search } for pid=558 comm="vendor.meaa.aut" name="cpucom" dev="mmcblk0p58" ino=16436 scontext=u:r:hal_vehicle_meaa:s0 tcontext=u:object_r:cpucom_data_file:s0 tclass=dir permissive=0
[ 79.523270] type=1400 audit(1549865308.739:26269): avc: denied { create } for pid=733 comm="cpucomserviced" name="cpucomservice.sock" scontext=u:r:cpucomserviced:s0 tcontext=u:object_r:cpucom_data_file:s0 tclass=sock_file permissive=0 duplicate messages suppressed
[ 39.574461] type=1400 audit(6787.129:5): avc: denied { entrypoint } for pid=538 comm="init" path="/init.peripheral.props.sh" dev="dm-0" ino=29 scontext=u:r:qti_init_shell:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
[ 43.986927] type=1400 audit(6791.539:25): avc: denied { transfer } for pid=593 comm="devicemanager" scontext=u:r:devicemanager:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
[ 44.151760] type=1400 audit(6791.699:26): avc: denied { write } for pid=39 comm="kdevtmpfs" name="snd" dev="devtmpfs" ino=7556 scontext=u:r:kernel:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
[ 46.061316] type=1400 audit(6793.539:165): avc: denied { search } for pid=558 comm="vendor.meaa.aut" name="cpucom" dev="mmcblk0p58" ino=16436 scontext=u:r:hal_vehicle_meaa:s0 tcontext=u:object_r:cpucom_data_file:s0 tclass=dir permissive=0
[ 79.523270] type=1400 audit(1549865308.739:26269): avc: denied { create } for pid=733 comm="cpucomserviced" name="cpucomservice.sock" scontext=u:r:cpucomserviced:s0 tcontext=u:object_r:cpucom_data_file:s0 tclass=sock_file permissive=0 duplicate messages suppressed
Please could you let me know how these can be fixed.
Thanks and Regards,
Aishwarya M
raghavendra prasanth
Feb 4, 2021, 8:05:33 AM2/4/21
to inside...@googlegroups.com, Anil Kumar Pugalia
Hi,
SElinux is MAC based and it is not a replacement for DAC. It works over DAC so first you need to provide proper file permissions.
Once it is done and if you still have AVC denials then please share the output for audit2allow - a
Regards,
Prasanth K S R
--
You received this message because you are subscribed to the Google Groups "SysPlay's Inside Linux" group.
To unsubscribe from this group and stop receiving emails from it, send an email to inside_linux...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/inside_linux/CAGKLxtK4%2Boon4%2BR862Cv8fYbTm-5TVv0eFs1Ua-Pq%2BgFXqGj3Q%40mail.gmail.com.
Aishwarya M
Feb 4, 2021, 10:07:59 AM2/4/21
to inside...@googlegroups.com
Hi,
Thanks for the response. I 'm not fully aware of how the rule can be written for the following :
79.523270] type=1400 audit(1549865308.739:26269): avc: denied { create } for pid=733 comm="cpucomserviced" name="cpucomservice.sock" scontext=u:r:cpucomserviced:s0 tcontext=u:object_r:cpucom_data_file:s0 tclass=sock_file permissive=0 duplicate messages suppressed
In order to give the necessary permissions for the above denial, what and where the changes have to be made in particular?
Regards,
Aishwarya M
To view this discussion on the web visit https://groups.google.com/d/msgid/inside_linux/CACn9Qs5ZQ6d6H%2BfvWsXb055TVMew9B%3DhDrX2kPiT8h8maCn%3Dgw%40mail.gmail.com.
Aishwarya M
Feb 4, 2021, 10:09:03 AM2/4/21
to inside...@googlegroups.com, kosigip...@gmail.com
Hi,
Thanks for the response. I 'm not fully aware of how the rule can be written for the following :
79.523270] type=1400 audit(1549865308.739:26269): avc: denied { create
} for pid=733 comm="cpucomserviced" name="cpucomservice.sock"
scontext=u:r:cpucomserviced:s0 tcontext=u:object_r:cpucom_data_file:s0 tclass=sock_file permissive=0 duplicate messages suppressed
In order to give the necessary permissions for the above denial, what and where the changes have to be made in particular?
Regards,
Aishwarya M
Anil Kumar
Feb 8, 2021, 4:09:30 AM2/8/21
to inside...@googlegroups.com, Anil Kumar Pugalia
Hi Aishwarya,
you have to change SELINUX policy rules to allow them.
can get more info from here
Regards,
Anilkumar appana
--
Aishwarya M
Feb 8, 2021, 5:51:47 AM2/8/21
to inside...@googlegroups.com, anila...@gmail.com
Hi,
Thanks for the response. I'll refer to the same.
Regards,
Aishwarya M
To view this discussion on the web visit https://groups.google.com/d/msgid/inside_linux/CAJmjELyxW_x7UHeN-HreWyG6becdh-x5VKRrQk2ihb7JbAHNeA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages