SElinux Android message interpretation

Question

I am unable to make sense of this message which I get on my android application. Any experts in the house ?

type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0

Answer 1

The given SELinux violation:

type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0

Below I'll try to give explanation of important parts of above violation:

denied { create } : Operation Permission State : The denied permission that was requested / executed. In this case, it is a create operation. SELinux denying permission to execute create dir/file operation.

name="access_control.new_commit.cv": Target name : The name of the target (in this case, the file/dir name) which your application, probably, trying to create.

scontext=u:r:untrusted_app:s0 : Source Context : The Source Context for this security violation. This indicates which domain/process is trying to execute create functionality. Here, untrusted_app applications are those which are launched by zygote

tcontext=u:object_r:fuse:s0 : Target Context : The security context of the target resource (in this case the file). Here, the source tried to create file in Fuse file system which has been denied.

tclass=fifo_file : Target Class : The class of the target.

In one sentence, SELinux denied the permission to untrusted_app to create the access_control.new_commit.cv file in fuse.

From Google source, check SEPolicy file untrusted_app.te how the permission has been denied.

NB: If you any suggestion with the answer, let me know.

Answer 2

I could add that running audit2allow on the error message will give you a suggestion on how to update the untrusted_app.te file.

Dump dmesg to text file:

dmesg > /sdcard/dmesg.txt

cat dmesg.txt | grep avc | audit2allow 

will give you the following result in this case:

#============= untrusted_app ==============
allow untrusted_app fuse:fifo_file create;

Add this line to untrusted_app.te and rebuild the Android kernel!

Answer 3

According to Validating SELinux  |  Android Open Source Project, for message:

type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0

the key info is:

• Action: create
• Actor=scontext=source context: untrusted_app
• Object=tcontext=target context: fuse
  • object_r=object read ?
• Result=tclass=target class: fifo_file=FIFO file
• permissive=permissive mode: 0 -> NOT permissive mode
  • -> is Enforce mode ?

translated to human readable sentence:

untrusted_app want to create a fifo_file for fuse

(But enforce mode of Android SELinux STOP it for no permission, so you see above logcat log info)