|Android| selinux: debug and add new one

Sometimes you can find this log pattern:
audit(.:*): avc: denied
in kernel log (cat /proc/kmsg or dmesg)

It means that your selinux configuration isn’t well.

– There is a temporary work around for this issue:
setenforce 0 (temporary workaround for disable SELinux)
getenforce (SELinux Permissive)

– Debug for sepolicy:
Go to:
android/device/{vendor: qcom}/sepolicy/{generic,legacy}/vendor/common/*.te

log:

audit(1441759284.810:5): avc: denied { read } for pid=1494 comm="sdcard" name="0" dev="nandk" ino=245281 scontext=u:r:sdcardd:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

Re-arrangement:

scontext = u:r:sdcardd
tcontex t= u:object_r:system_data_file:s0
tclass = dir
avc: denied { read }


Formula:
In scontext.te,(e.g. sdcardd.te)add “allowe:
allow sdcardd system_data_file:dir read; or
allow sdcardd system_data_file:dir rw_dir_perms;

Test:
Flash boot.img and reboot


How to add sepolicy for a new device node ?
If you want to add a new device node(my_node),
and system_server can read and write this device node(my_node):

1. …/sepolicy/device.te
define a dev_type with my_device:
(type private_block_device, dev_type)

type my_node, dev_type;

2. file_contexts.te
let /dev/my_node defined as my_node_device:

/dev/block/by-name/misc u:object_r:misc_block_device:s0
/dev/block/by-name/alog u:object_r:log_block_device:s0
/dev/block/by-name/private u:object_r:private_block_device:s0
 ..
//add here
/dev/my_node u:object_r:my_node_device:s0

3. In system_server.te
Accroding to “dmesg | grep avc” to allow system_server can read and write the my_node_device:

allow system_server qtaguid_proc:file rw_file_perms;
allow system_server qtaguid_device:chr_file rw_file_perms;
 ……
allow system_server my_node_device:chr_file rw_file_perms;