Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to write sepolicy to fix a denial

Migrated with additional information to my blog: https://msfjarvis.dev/posts/understanding-and-resolving-selinux-denials-on-android/

--------------

Denial in question

avc: denied { read write } for pid=29059 comm="i.tetherservice" name="ipa" dev="tmpfs" ino=11991 scontext=u:r:system_app:s0 tcontext=u:object_r:ipa_dev:s0 tclass=chr_file permissive=0

sepolicy fix

allow system_app ipa_dev:chr_file {read write};

How did I write it? Easy.

First, you need to identify the process/device which attempted the action which raised the denial.

The value in scontext is the offender. In our case, it is system_app.

Next, find the domains where access was attempted. This is found by taking the value of tcontext, splitting it on the : delimiter and taking index 2, or the second value from right. Club it with the value of tclass and you get the domain, which is ipa_dev:chr_file in our example.

Finally, find the action being performed. This is fairly simple.

avc: denied { read write } for

{read write} is the action here.

Put this all together and you get the final sepolicy rule.

Labelling in SELinux

To define new types for adding sepolicy exclusions, we use labelling.

For this example, let's assume we want to label the KCal sysfs nodes under the sysfs_kcal type.

KCal sysfs nodes are inside the /sys/devices/platform/kcal_ctrl.0/ directory. To put them all under a single label, we use a simple regex. The type name should be added to file_contexts in your device tree's sepolicy folder. If it doesn't exist, create it.

/sys/devices/platform/kcal_ctrl.0(/.*)? u:object_r:sysfs_kcal:s0

This line in file_contexts will put all files inside the /sys/devices/platform/kcal_ctrl.0/ folder under the sysfs_kcal label.

Next we open up the relative .te file for the domain we want to grant access to the KCal sysfs. Let's assume it's system_app, for this example.

Open up system_app.te from your sepolicy dir (create if missing, usual drill).

First, we need to define what types does the sysfs_kcal label can be. For granting read/write access, it will have to be fs_type and sysfs_type, as should be obvious.

type sysfs_kcal, fs_type, sysfs_type;

There, we can now add exclusions for sysfs_kcal treating it as a sysfs node as well as a filesystem item, like a folder or a file.

To be able to read or write to the sysfs node, we need to be able to find it first. Then we need to grant system_app the ability to read and write from and to it.

allow system_app sysfs_kcal:dir search; allow system_app sysfs_kcal:file rw_file_perms;

Here we utilise the fs_type declaration to treat the labelled sysfs nodes as a directory as well as a file and grant the necessary permissions.

And that's it! Now all system apps can read from and write to all nodes in the /sys/devices/platform/kcal_ctrl.0/ directory.

@SubhrajyotiSen
Copy link

SubhrajyotiSen commented Jun 13, 2017

Thanks a ton for this

@mosimchah
Copy link

mosimchah commented Jun 15, 2017

Thanks man :)

@shrukul
Copy link

shrukul commented Sep 7, 2017

Wow. Was looking exactly for this!

Copy link

ghost commented Feb 4, 2018

@rk779
Copy link

rk779 commented Feb 4, 2018

thug af

@SagarMakhar
Copy link

SagarMakhar commented Mar 13, 2018

thanks for this cool guide

@karthikkm007
Copy link

karthikkm007 commented Mar 29, 2018

Thanks bro
This is really useful guide

@Surge1223
Copy link

Surge1223 commented Apr 7, 2018

I almost fell asleep reading this

@MasterKhatri
Copy link

MasterKhatri commented Apr 17, 2018

Thanks bhai

@anayw2001
Copy link

anayw2001 commented Jun 24, 2018

tanks jorbis

@rupansh
Copy link

rupansh commented Aug 13, 2018

jorbis gawd

@Goayandi
Copy link

Goayandi commented Aug 20, 2018

Thank you very much! This guide helped me a lot.

@mesziman
Copy link

mesziman commented Oct 7, 2018

if scontext and tcontext are same like netmgr then instead of allow { stuff } netmgr **netmgr**:something in the second place write
self
Full example:
log:
avc: denied { sys_admin } for capability=21 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0 tclass=capability permissive=0
Rule:
allow netutils_wrapper self:capability sys_admin;

@AndroiableDroid
Copy link

AndroiableDroid commented Oct 31, 2018

how to fix denial like 01-04 04:04:34.746 327 327 I init : type=1400 audit(0.0:3): avc: denied { execute_no_trans } for path="/system/vendor/bin/hw/android.hardware.light@2.0-service.mobee01a" dev="mmcblk0p23" ino=2630 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1

Copy link

ghost commented Nov 21, 2018

denied { read } for name="u:object_r:qemu_hw_mainkeys_prop:s0" dev="tmpfs" ino=8318 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:qemu_hw_mainkeys_prop:s0 tclass=file permissive=1

@NoSpamDan
Copy link

NoSpamDan commented Feb 2, 2019

Thanks for this, dude!

@whofixx
Copy link

whofixx commented Feb 6, 2019

How to get denial log?

@rajesh-xda
Copy link

rajesh-xda commented Feb 15, 2019

Sir, i have the following denials on oreo 8.1. how to write sepolicy to fix this.?

343 343 W light@2.0-servi: type=1400 audit(0.0:8): avc: denied { read write } for name="brightness" dev="sysfs" ino=14905 scontext=u:r:hal_light_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

4005 W .omnirom.device: type=1400 audit(0.0:9): avc: denied { write } for name="gesture_ctrl" dev="sysfs" ino=3135 scontext=u:r:system_app:s0 tcontext=u:object_r:touchpanel_sysfs:s0 tclass=file permissive=0

4597 W com.android.settings: type=1400 audit(0.0:14): avc: denied { call } for comm=4173796E635461736B202335 scontext=u:r:system_app:s0 tcontext=u:r:wificond:s0 tclass=binder permissive=0

272 E SELinux : avc: denied { find } for service=installd pid=4383 uid=1000 scontext=u:r:system_app:s0 tcontext=u:object_r:installd_service:s0 tclass=service_manager permissive=0

@saikiran2001
Copy link

saikiran2001 commented Feb 17, 2019

Thank you very much for this guide

@adi8900
Copy link

adi8900 commented Apr 24, 2019

thanks,i thought sepolicy hard thing but this is pretty simple now for me

@TheReverseHero
Copy link

TheReverseHero commented Jun 8, 2019

log:
06-08 16:15:01.598 W/Binder:3172_4(3172): type=1400 audit(0.0:35360): avc: denied { write } for name="property_service" dev="tmpfs" ino=14201 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0

Policy fix:
allow priv_app property_socket:sock_file {write};

But I'm user not builder how do I implement this in selinux policy....

@nomana94
Copy link

nomana94 commented Jul 18, 2019

Hello Sir I am developing an app and I am getting a similar warning. Could you please explain more where to write the policy. Is it in the android studio in my app's folder or is it somewhere in the device (It may sound stupid) Sorry for that. Thanks

@karkhileshardul
Copy link

karkhileshardul commented Oct 1, 2020

Thanks Man..Cheers..

@fusionneur
Copy link

fusionneur commented Oct 15, 2020

I have android logcat spammed with these denials:

10-15 22:02:29.039 12944 12944 W kworker/0:4: type=1400 audit(0.0:87190): avc: denied { read write } for name="sde73" dev="tmpfs" ino=28978 scontext=u:r:kernel:s0 tcontext=u:object_r:oem_device:s0 tclass=blk_file permissive=0

I understand that I should write a rule:
allow kernel oem_device:blk_file {read write};

adb pull /sys/fs/selinux/policy
adb logcat -b all -d | audit2allow -p policy #this confirms the rule

My question is, where exactly should i add this? Which are next steps? Thank you!

Copy link

ghost commented Mar 25, 2021

Woahh, great tutorial! Thank you very much! ^_^

@fusionneur
Copy link

fusionneur commented Mar 25, 2021

This is how i handled the problems. Hope it is helpful:

To identify issues:
adb shell su - logcat *:W | grep --line-buffered 'avc'

In termux or via adb, i created a start-up script:

su -
cd /data/adb/post-fs-data.d #or /data/adb/service.d
touch fix_selinux.sh
chmod +x fix_selinux.sh
vi selinux.sh

This is the script that fixes some selinux issues (this is for reference only):


#####  START OF SCRIPT ######


#KERNEL
/sbin/magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'
/sbin/magiskpolicy --live 'allow kernel kernel capability {kill}'

#SHELL
/sbin/magiskpolicy --live 'allow shell rootfs file {getattr}'

#SYSTEM
/sbin/magiskpolicy --live 'allow system_app system_data_file dir {read write create setattr}'
/sbin/magiskpolicy --live 'allow system_app system_data_file file {create}'

#MAGISK
/sbin/magiskpolicy --live 'allow magisk_client vendor_file dir {read}'

#HAL
/sbin/magiskpolicy --live 'allow hal_memtrack_default sysfs_kgsl dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server file {read open getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default proc file {getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default sensors_dbg_prop file {read open getattr map}'

echo "selinux ok" > /data/adb/post-fs-data.d/status_selinux.log

#####  END OF SCRIPT ######

Details of how magiskpolicy works: https://topjohnwu.github.io/Magisk/guides.html#boot-scripts

@britto-m
Copy link

britto-m commented Apr 23, 2021

i have the loopback device created and mounted the partition under the /data/, and this location needs to accessed by the privileged app annd the framework, can you suggest how to write the selinux policy for this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment