Skip to content

Instantly share code, notes, and snippets.

@msfjarvis
Last active December 16, 2023 20:50
  • Star 61 You must be signed in to star a gist
  • Fork 23 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save msfjarvis/ec52b48eb2df1688b7cbe32bcd39ee5f to your computer and use it in GitHub Desktop.
How to write sepolicy to fix a denial

Migrated with additional information to my blog: https://msfjarvis.dev/posts/understanding-and-resolving-selinux-denials-on-android/

--------------

Denial in question

avc: denied { read write } for pid=29059 comm="i.tetherservice" name="ipa" dev="tmpfs" ino=11991 scontext=u:r:system_app:s0 tcontext=u:object_r:ipa_dev:s0 tclass=chr_file permissive=0

sepolicy fix

allow system_app ipa_dev:chr_file {read write};

How did I write it? Easy.

First, you need to identify the process/device which attempted the action which raised the denial.

The value in scontext is the offender. In our case, it is system_app.

Next, find the domains where access was attempted. This is found by taking the value of tcontext, splitting it on the : delimiter and taking index 2, or the second value from right. Club it with the value of tclass and you get the domain, which is ipa_dev:chr_file in our example.

Finally, find the action being performed. This is fairly simple.

avc: denied { read write } for

{read write} is the action here.

Put this all together and you get the final sepolicy rule.

Labelling in SELinux

To define new types for adding sepolicy exclusions, we use labelling.

For this example, let's assume we want to label the KCal sysfs nodes under the sysfs_kcal type.

KCal sysfs nodes are inside the /sys/devices/platform/kcal_ctrl.0/ directory. To put them all under a single label, we use a simple regex. The type name should be added to file_contexts in your device tree's sepolicy folder. If it doesn't exist, create it.

/sys/devices/platform/kcal_ctrl.0(/.*)? u:object_r:sysfs_kcal:s0

This line in file_contexts will put all files inside the /sys/devices/platform/kcal_ctrl.0/ folder under the sysfs_kcal label.

Next we open up the relative .te file for the domain we want to grant access to the KCal sysfs. Let's assume it's system_app, for this example.

Open up system_app.te from your sepolicy dir (create if missing, usual drill).

First, we need to define what types does the sysfs_kcal label can be. For granting read/write access, it will have to be fs_type and sysfs_type, as should be obvious.

type sysfs_kcal, fs_type, sysfs_type;

There, we can now add exclusions for sysfs_kcal treating it as a sysfs node as well as a filesystem item, like a folder or a file.

To be able to read or write to the sysfs node, we need to be able to find it first. Then we need to grant system_app the ability to read and write from and to it.

allow system_app sysfs_kcal:dir search; allow system_app sysfs_kcal:file rw_file_perms;

Here we utilise the fs_type declaration to treat the labelled sysfs nodes as a directory as well as a file and grant the necessary permissions.

And that's it! Now all system apps can read from and write to all nodes in the /sys/devices/platform/kcal_ctrl.0/ directory.

@Uj947nXmRqV2nRaWshKtHzTvckUUpD
Copy link

This is how i handled the problems. Hope it is helpful:

To identify issues:
adb shell su - logcat *:W | grep --line-buffered 'avc'

In termux or via adb, i created a start-up script:

su -
cd /data/adb/post-fs-data.d #or /data/adb/service.d
touch fix_selinux.sh
chmod +x fix_selinux.sh
vi selinux.sh

This is the script that fixes some selinux issues (this is for reference only):


#####  START OF SCRIPT ######


#KERNEL
/sbin/magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'
/sbin/magiskpolicy --live 'allow kernel kernel capability {kill}'

#SHELL
/sbin/magiskpolicy --live 'allow shell rootfs file {getattr}'

#SYSTEM
/sbin/magiskpolicy --live 'allow system_app system_data_file dir {read write create setattr}'
/sbin/magiskpolicy --live 'allow system_app system_data_file file {create}'

#MAGISK
/sbin/magiskpolicy --live 'allow magisk_client vendor_file dir {read}'

#HAL
/sbin/magiskpolicy --live 'allow hal_memtrack_default sysfs_kgsl dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server file {read open getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default proc file {getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default sensors_dbg_prop file {read open getattr map}'

echo "selinux ok" > /data/adb/post-fs-data.d/status_selinux.log

#####  END OF SCRIPT ######

Details of how magiskpolicy works: https://topjohnwu.github.io/Magisk/guides.html#boot-scripts

@britto-m
Copy link

i have the loopback device created and mounted the partition under the /data/, and this location needs to accessed by the privileged app annd the framework, can you suggest how to write the selinux policy for this

@kevin01523
Copy link

This is how i handled the problems. Hope it is helpful:

To identify issues: adb shell su - logcat *:W | grep --line-buffered 'avc'

In termux or via adb, i created a start-up script:

su -
cd /data/adb/post-fs-data.d #or /data/adb/service.d
touch fix_selinux.sh
chmod +x fix_selinux.sh
vi selinux.sh

This is the script that fixes some selinux issues (this is for reference only):


#####  START OF SCRIPT ######


#KERNEL
/sbin/magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'
/sbin/magiskpolicy --live 'allow kernel kernel capability {kill}'

#SHELL
/sbin/magiskpolicy --live 'allow shell rootfs file {getattr}'

#SYSTEM
/sbin/magiskpolicy --live 'allow system_app system_data_file dir {read write create setattr}'
/sbin/magiskpolicy --live 'allow system_app system_data_file file {create}'

#MAGISK
/sbin/magiskpolicy --live 'allow magisk_client vendor_file dir {read}'

#HAL
/sbin/magiskpolicy --live 'allow hal_memtrack_default sysfs_kgsl dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server file {read open getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default proc file {getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default sensors_dbg_prop file {read open getattr map}'

echo "selinux ok" > /data/adb/post-fs-data.d/status_selinux.log

#####  END OF SCRIPT ######

Details of how magiskpolicy works: https://topjohnwu.github.io/Magisk/guides.html#boot-scripts

To identify issues: adb shell su -C logcat *:W | grep --line-buffered 'avc'

@techyminati
Copy link

damn this is always useful to brush up sepolicy

@kevin01523
Copy link

yeah works great fixed my problems on one of my apps failing to load files from my sd card

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment