1 <html devsite><head> 2 <title> SELinux</title> 3 <meta name="project_path" value="/_project.yaml"/> 4 <meta name="book_path" value="/_book.yaml"/> 5 </head> 6 <body> 7 <!-- 8 Copyright 2017 The Android Open Source Project 9 10 Licensed under the Apache License, Version 2.0 (the "License"); 11 you may not use this file except in compliance with the License. 12 You may obtain a copy of the License at 13 14 http://www.apache.org/licenses/LICENSE-2.0 15 16 Unless required by applicable law or agreed to in writing, software 17 distributed under the License is distributed on an "AS IS" BASIS, 18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 See the License for the specific language governing permissions and 20 limitations under the License. 21 --> 22 23 <p>Android (OEM) SELinux SELinux </p> 24 25 <p> getenforce SELinux </p> 26 27 <p> SELinux SELinux SELinux (-p) <code>sepolicy-analyze</code> /platform/system/sepolicy/tools/ </p> 28 29 <h2 id="reading_denials"></h2> 30 31 <p> dmesg <code>logcat</code> dmesg SELinux SELinux avc: <code>grep</code> <code>cat /proc/kmsg</code> cat <code>/proc/last_kmsg</code> </p> 32 33 <p> SELinux / SELinux </p> 34 35 <p></p> 36 37 <pre> 38 avc: denied { connectto } for pid=2671 comm="ping" path="/dev/socket/dnsproxyd" 39 scontext=u:r:shell:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket 40 </pre> 41 42 <p></p> 43 44 <ul> 45 <li> <code>{ connectto }</code> <code>tclass</code> (<code>unix_stream_socket</code>) UNIX 46 </li><li><code>scontext (u:r:shell:s0)</code> shell 47 </li><li><code>tcontext (u:r:netd:s0)</code> <code>netd</code> unix_stream_socket 48 </li><li> <code>comm="ping"</code> 49 </li></ul> 50 51 <p></p> 52 53 <pre> 54 $ adb shell su root dmesg | grep 'avc: ' 55 <5> type=1400 audit: avc: denied { read write } for pid=177 56 comm="rmt_storage" name="mem" dev="tmpfs" ino=6004 scontext=u:r:rmt:s0 57 tcontext=u:object_r:kmem_device:s0 tclass=chr_file 58 </pre> 59 60 <p></p> 61 62 <ul> 63 <li> - <code>read write</code> <code>setenforce</code><em></em> 64 </li><li> - <code>scontext</code><code> rmt_storage</code> <em></em> 65 </li><li> - <code>tcontext</code> kmem<em></em> 66 </li><li> - <code>tclass</code> <code>chr_file</code><em></em> 67 </li></ul> 68 69 <h2 id="switching_to_permissive"></h2> 70 71 <p class="caution"><strong></strong>CTS </p> 72 73 <p> ADB SELinux </p> 74 75 <pre> 76 $ adb shell su root setenforce 0 77 </pre> 78 79 <p></p> 80 81 <pre> 82 androidboot.selinux=permissive 83 androidboot.selinux=enforcing 84 </pre> 85 86 <h2 id="using_audit2allow"> audit2allow</h2> 87 88 <p><code>selinux/policycoreutils/audit2allow</code> <code>dmesg</code> SELinux SELinux <code>audit2allow</code> Android Android </p> 89 90 <p></p> 91 92 <pre> 93 $ adb shell su root dmesg | audit2allow -p $OUT/root/sepolicy 94 </pre> 95 96 <p> audit2allow <code>rmt_storage</code> SELinux </p> 97 98 <pre> 99 #============= shell ============== 100 allow shell kernel:security setenforce; 101 #============= rmt ============== 102 allow rmt kmem_device:chr_file { read write }; 103 </pre> 104 105 <p> <code>rmt</code> <code>audit2allow</code> </p> 106 107 </body></html>
