Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SElinux Android message interpretation

I am unable to make sense of this message which I get on my android application. Any experts in the house ?

type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0
like image 595
Jay Avatar asked Jun 25 '17 06:06

Jay


3 Answers

The given SELinux violation:

type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0

Below I'll try to give explanation of important parts of above violation:

denied { create } : Operation Permission State : The denied permission that was requested / executed. In this case, it is a create operation. SELinux denying permission to execute create dir/file operation.

name="access_control.new_commit.cv": Target name : The name of the target (in this case, the file/dir name) which your application, probably, trying to create.

scontext=u:r:untrusted_app:s0 : Source Context : The Source Context for this security violation. This indicates which domain/process is trying to execute create functionality. Here, untrusted_app applications are those which are launched by zygote

tcontext=u:object_r:fuse:s0 : Target Context : The security context of the target resource (in this case the file). Here, the source tried to create file in Fuse file system which has been denied.

tclass=fifo_file : Target Class : The class of the target.

In one sentence, SELinux denied the permission to untrusted_app to create the access_control.new_commit.cv file in fuse.

From Google source, check SEPolicy file untrusted_app.te how the permission has been denied.

NB: If you any suggestion with the answer, let me know.

like image 194
Hamid Shatu Avatar answered Nov 20 '22 04:11

Hamid Shatu


I could add that running audit2allow on the error message will give you a suggestion on how to update the untrusted_app.te file.

Dump dmesg to text file:

dmesg > /sdcard/dmesg.txt
cat dmesg.txt | grep avc | audit2allow 

will give you the following result in this case:

#============= untrusted_app ==============
allow untrusted_app fuse:fifo_file create;

Add this line to untrusted_app.te and rebuild the Android kernel!

like image 43
Matzone Avatar answered Nov 20 '22 04:11

Matzone


According to Validating SELinux  |  Android Open Source Project, for message:

type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0

the key info is:

  • Action: create
  • Actor=scontext=source context: untrusted_app
  • Object=tcontext=target context: fuse
    • object_r=object read ?
  • Result=tclass=target class: fifo_file=FIFO file
  • permissive=permissive mode: 0 -> NOT permissive mode
    • -> is Enforce mode ?

translated to human readable sentence:

untrusted_app want to create a fifo_file for fuse

(But enforce mode of Android SELinux STOP it for no permission, so you see above logcat log info)

like image 5
crifan Avatar answered Nov 20 '22 05:11

crifan