Skip to content

Instantly share code, notes, and snippets.

@msfjarvis
Last active December 16, 2023 20:50
  • Star 61 You must be signed in to star a gist
  • Fork 23 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save msfjarvis/ec52b48eb2df1688b7cbe32bcd39ee5f to your computer and use it in GitHub Desktop.
How to write sepolicy to fix a denial

Migrated with additional information to my blog: https://msfjarvis.dev/posts/understanding-and-resolving-selinux-denials-on-android/

--------------

Denial in question

avc: denied { read write } for pid=29059 comm="i.tetherservice" name="ipa" dev="tmpfs" ino=11991 scontext=u:r:system_app:s0 tcontext=u:object_r:ipa_dev:s0 tclass=chr_file permissive=0

sepolicy fix

allow system_app ipa_dev:chr_file {read write};

How did I write it? Easy.

First, you need to identify the process/device which attempted the action which raised the denial.

The value in scontext is the offender. In our case, it is system_app.

Next, find the domains where access was attempted. This is found by taking the value of tcontext, splitting it on the : delimiter and taking index 2, or the second value from right. Club it with the value of tclass and you get the domain, which is ipa_dev:chr_file in our example.

Finally, find the action being performed. This is fairly simple.

avc: denied { read write } for

{read write} is the action here.

Put this all together and you get the final sepolicy rule.

Labelling in SELinux

To define new types for adding sepolicy exclusions, we use labelling.

For this example, let's assume we want to label the KCal sysfs nodes under the sysfs_kcal type.

KCal sysfs nodes are inside the /sys/devices/platform/kcal_ctrl.0/ directory. To put them all under a single label, we use a simple regex. The type name should be added to file_contexts in your device tree's sepolicy folder. If it doesn't exist, create it.

/sys/devices/platform/kcal_ctrl.0(/.*)? u:object_r:sysfs_kcal:s0

This line in file_contexts will put all files inside the /sys/devices/platform/kcal_ctrl.0/ folder under the sysfs_kcal label.

Next we open up the relative .te file for the domain we want to grant access to the KCal sysfs. Let's assume it's system_app, for this example.

Open up system_app.te from your sepolicy dir (create if missing, usual drill).

First, we need to define what types does the sysfs_kcal label can be. For granting read/write access, it will have to be fs_type and sysfs_type, as should be obvious.

type sysfs_kcal, fs_type, sysfs_type;

There, we can now add exclusions for sysfs_kcal treating it as a sysfs node as well as a filesystem item, like a folder or a file.

To be able to read or write to the sysfs node, we need to be able to find it first. Then we need to grant system_app the ability to read and write from and to it.

allow system_app sysfs_kcal:dir search; allow system_app sysfs_kcal:file rw_file_perms;

Here we utilise the fs_type declaration to treat the labelled sysfs nodes as a directory as well as a file and grant the necessary permissions.

And that's it! Now all system apps can read from and write to all nodes in the /sys/devices/platform/kcal_ctrl.0/ directory.

@karthikkm007
Copy link

Thanks bro
This is really useful guide

@Surge1223
Copy link

I almost fell asleep reading this

@MasterKhatri
Copy link

Thanks bhai

@anayw2001
Copy link

tanks jorbis

@rupansh
Copy link

rupansh commented Aug 13, 2018

jorbis gawd

@Goayandi
Copy link

Thank you very much! This guide helped me a lot.

@mesziman
Copy link

mesziman commented Oct 7, 2018

if scontext and tcontext are same like netmgr then instead of allow { stuff } netmgr **netmgr**:something in the second place write
self
Full example:
log:
avc: denied { sys_admin } for capability=21 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0 tclass=capability permissive=0
Rule:
allow netutils_wrapper self:capability sys_admin;

@AndroiableDroid
Copy link

how to fix denial like 01-04 04:04:34.746 327 327 I init : type=1400 audit(0.0:3): avc: denied { execute_no_trans } for path="/system/vendor/bin/hw/android.hardware.light@2.0-service.mobee01a" dev="mmcblk0p23" ino=2630 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1

Copy link

ghost commented Nov 21, 2018

denied { read } for name="u:object_r:qemu_hw_mainkeys_prop:s0" dev="tmpfs" ino=8318 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:qemu_hw_mainkeys_prop:s0 tclass=file permissive=1

@NoSpamDan
Copy link

Thanks for this, dude!

@whofixx
Copy link

whofixx commented Feb 6, 2019

How to get denial log?

@rajesh-xda
Copy link

Sir, i have the following denials on oreo 8.1. how to write sepolicy to fix this.?

343 343 W light@2.0-servi: type=1400 audit(0.0:8): avc: denied { read write } for name="brightness" dev="sysfs" ino=14905 scontext=u:r:hal_light_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

4005 W .omnirom.device: type=1400 audit(0.0:9): avc: denied { write } for name="gesture_ctrl" dev="sysfs" ino=3135 scontext=u:r:system_app:s0 tcontext=u:object_r:touchpanel_sysfs:s0 tclass=file permissive=0

4597 W com.android.settings: type=1400 audit(0.0:14): avc: denied { call } for comm=4173796E635461736B202335 scontext=u:r:system_app:s0 tcontext=u:r:wificond:s0 tclass=binder permissive=0

272 E SELinux : avc: denied { find } for service=installd pid=4383 uid=1000 scontext=u:r:system_app:s0 tcontext=u:object_r:installd_service:s0 tclass=service_manager permissive=0

@saikiran2001
Copy link

Thank you very much for this guide

@adi8900
Copy link

adi8900 commented Apr 24, 2019

thanks,i thought sepolicy hard thing but this is pretty simple now for me

@TheReverseHero
Copy link

log:
06-08 16:15:01.598 W/Binder:3172_4(3172): type=1400 audit(0.0:35360): avc: denied { write } for name="property_service" dev="tmpfs" ino=14201 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0

Policy fix:
allow priv_app property_socket:sock_file {write};

But I'm user not builder how do I implement this in selinux policy....

@nomana94
Copy link

Hello Sir I am developing an app and I am getting a similar warning. Could you please explain more where to write the policy. Is it in the android studio in my app's folder or is it somewhere in the device (It may sound stupid) Sorry for that. Thanks

@karkhileshardul
Copy link

Thanks Man..Cheers..

@Uj947nXmRqV2nRaWshKtHzTvckUUpD
Copy link

I have android logcat spammed with these denials:

10-15 22:02:29.039 12944 12944 W kworker/0:4: type=1400 audit(0.0:87190): avc: denied { read write } for name="sde73" dev="tmpfs" ino=28978 scontext=u:r:kernel:s0 tcontext=u:object_r:oem_device:s0 tclass=blk_file permissive=0

I understand that I should write a rule:
allow kernel oem_device:blk_file {read write};

adb pull /sys/fs/selinux/policy
adb logcat -b all -d | audit2allow -p policy #this confirms the rule

My question is, where exactly should i add this? Which are next steps? Thank you!

Copy link

ghost commented Mar 25, 2021

Woahh, great tutorial! Thank you very much! ^_^

@Uj947nXmRqV2nRaWshKtHzTvckUUpD
Copy link

This is how i handled the problems. Hope it is helpful:

To identify issues:
adb shell su - logcat *:W | grep --line-buffered 'avc'

In termux or via adb, i created a start-up script:

su -
cd /data/adb/post-fs-data.d #or /data/adb/service.d
touch fix_selinux.sh
chmod +x fix_selinux.sh
vi selinux.sh

This is the script that fixes some selinux issues (this is for reference only):


#####  START OF SCRIPT ######


#KERNEL
/sbin/magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'
/sbin/magiskpolicy --live 'allow kernel kernel capability {kill}'

#SHELL
/sbin/magiskpolicy --live 'allow shell rootfs file {getattr}'

#SYSTEM
/sbin/magiskpolicy --live 'allow system_app system_data_file dir {read write create setattr}'
/sbin/magiskpolicy --live 'allow system_app system_data_file file {create}'

#MAGISK
/sbin/magiskpolicy --live 'allow magisk_client vendor_file dir {read}'

#HAL
/sbin/magiskpolicy --live 'allow hal_memtrack_default sysfs_kgsl dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server file {read open getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default proc file {getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default sensors_dbg_prop file {read open getattr map}'

echo "selinux ok" > /data/adb/post-fs-data.d/status_selinux.log

#####  END OF SCRIPT ######

Details of how magiskpolicy works: https://topjohnwu.github.io/Magisk/guides.html#boot-scripts

@britto-m
Copy link

i have the loopback device created and mounted the partition under the /data/, and this location needs to accessed by the privileged app annd the framework, can you suggest how to write the selinux policy for this

@kevin01523
Copy link

This is how i handled the problems. Hope it is helpful:

To identify issues: adb shell su - logcat *:W | grep --line-buffered 'avc'

In termux or via adb, i created a start-up script:

su -
cd /data/adb/post-fs-data.d #or /data/adb/service.d
touch fix_selinux.sh
chmod +x fix_selinux.sh
vi selinux.sh

This is the script that fixes some selinux issues (this is for reference only):


#####  START OF SCRIPT ######


#KERNEL
/sbin/magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'
/sbin/magiskpolicy --live 'allow kernel kernel capability {kill}'

#SHELL
/sbin/magiskpolicy --live 'allow shell rootfs file {getattr}'

#SYSTEM
/sbin/magiskpolicy --live 'allow system_app system_data_file dir {read write create setattr}'
/sbin/magiskpolicy --live 'allow system_app system_data_file file {create}'

#MAGISK
/sbin/magiskpolicy --live 'allow magisk_client vendor_file dir {read}'

#HAL
/sbin/magiskpolicy --live 'allow hal_memtrack_default sysfs_kgsl dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server file {read open getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default proc file {getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default sensors_dbg_prop file {read open getattr map}'

echo "selinux ok" > /data/adb/post-fs-data.d/status_selinux.log

#####  END OF SCRIPT ######

Details of how magiskpolicy works: https://topjohnwu.github.io/Magisk/guides.html#boot-scripts

To identify issues: adb shell su -C logcat *:W | grep --line-buffered 'avc'

@techyminati
Copy link

damn this is always useful to brush up sepolicy

@kevin01523
Copy link

yeah works great fixed my problems on one of my apps failing to load files from my sd card

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment