I am unable to make sense of this message which I get on my android application. Any experts in the house ?
type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0
The given SELinux violation:
type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0
Below I'll try to give explanation of important parts of above violation:
denied { create }
: Operation Permission State : The denied permission that was requested / executed. In this case, it is a create operation. SELinux denying permission to execute create dir/file operation.
name="access_control.new_commit.cv"
: Target name : The name of the target (in this case, the file/dir name) which your application, probably, trying to create.
scontext=u:r:untrusted_app:s0
: Source Context : The Source Context for this security violation. This indicates which domain/process is trying to execute create functionality. Here, untrusted_app
applications are those which are launched by zygote
tcontext=u:object_r:fuse:s0
: Target Context : The security context of the target resource (in this case the file). Here, the source tried to create file in Fuse file system which has been denied.
tclass=fifo_file
: Target Class : The class of the target.
In one sentence, SELinux denied the permission to untrusted_app
to create
the access_control.new_commit.cv
file in fuse
.
From Google source, check SEPolicy file untrusted_app.te how the permission has been denied.
NB: If you any suggestion with the answer, let me know.
I could add that running audit2allow on the error message will give you a suggestion on how to update the untrusted_app.te file.
Dump dmesg to text file:
dmesg > /sdcard/dmesg.txt
cat dmesg.txt | grep avc | audit2allow
will give you the following result in this case:
#============= untrusted_app ==============
allow untrusted_app fuse:fifo_file create;
Add this line to untrusted_app.te and rebuild the Android kernel!
According to Validating SELinux | Android Open Source Project, for message:
type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0
the key info is:
Action
: create
Actor
=scontext
=source context
: untrusted_app
Object
=tcontext
=target context
: fuse
object_r
=object read
?Result
=tclass
=target class
: fifo_file=FIFO filepermissive
=permissive mode
: 0 -> NOT permissive mode
translated to human readable sentence:
untrusted_app want to create a fifo_file for fuse
(But enforce mode of Android SELinux STOP it for no permission, so you see above logcat log info)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With