search

Exynos7580 / android_device_samsung_exynos7580-common

Exynos 7580 Common Tree
14 stars 23 forks source link

oreo: selinux denials #15

Closed Stricted closed 6 years ago

Stricted commented 6 years ago

here is a list of the current occurring selinux denials

01-05 07:22:07.920  2281  2281 I gpsd    : type=1400 audit(0.0:788): avc: denied { create } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
01-05 07:22:07.920  2281  2281 I gpsd    : type=1400 audit(0.0:789): avc: denied { bind } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
01-05 07:22:07.920  2281  2281 I gpsd    : type=1400 audit(0.0:789): avc: denied { name_bind } for src=6477 scontext=u:r:init:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=1
01-05 07:22:07.920  2281  2281 I gpsd    : type=1400 audit(0.0:789): avc: denied { node_bind } for src=6477 scontext=u:r:init:s0 tcontext=u:object_r:node:s0 tclass=tcp_socket permissive=1
01-05 07:22:08.170  2281  2281 I gpsd    : type=1400 audit(0.0:790): avc: denied { write } for name="ttySAC0" dev="tmpfs" ino=9228 scontext=u:r:init:s0 tcontext=u:object_r:uart_device:s0 tclass=chr_file permissive=1
01-05 07:22:08.180  2281  2281 I gpsd    : type=1400 audit(0.0:791): avc: denied { ioctl } for path="/dev/ttySAC0" dev="tmpfs" ino=9228 ioctlcmd=5401 scontext=u:r:init:s0 tcontext=u:object_r:uart_device:s0 tclass=chr_file permissive=1
01-05 07:22:08.540  2281  2281 I gpsd    : type=1400 audit(0.0:802): avc: denied { write } for path="socket:[105341]" dev="sockfs" ino=105341 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
01-05 07:22:08.570  2281  2281 I gpsd    : type=1400 audit(0.0:803): avc: denied { read } for path="socket:[105341]" dev="sockfs" ino=105341 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
01-05 07:22:32.460  2281  2281 I gpsd    : type=1400 audit(0.0:807): avc: denied { getattr } for path="/dev/ttySAC0" dev="tmpfs" ino=9228 scontext=u:r:init:s0 tcontext=u:object_r:uart_device:s0 tclass=chr_file permissive=1
01-05 07:24:35.780  9217  9217 I main    : type=1400 audit(0.0:828): avc: denied { write } for name="trace_marker" dev="debugfs" ino=2063 scontext=u:r:zygote:s0 tcontext=u:object_r:debugfs:s0 tclass=file permissive=1
01-05 07:24:35.780  9217  9217 I main    : type=1400 audit(0.0:828): avc: denied { open } for path="/sys/kernel/debug/tracing/trace_marker" dev="debugfs" ino=2063 scontext=u:r:zygote:s0 tcontext=u:object_r:debugfs:s0 tclass=file permissive=1
01-05 07:26:00.130  9280  9280 I cbd     : type=1400 audit(0.0:838): avc: denied { read } for name="__properties__" dev="tmpfs" ino=1190 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:properties_device:s0 tclass=dir permissive=1
01-05 07:26:00.130  9280  9280 I cbd     : type=1400 audit(0.0:838): avc: denied { open } for path="/dev/__properties__" dev="tmpfs" ino=1190 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:properties_device:s0 tclass=dir permissive=1
01-05 07:34:02.300  9485  9485 I cbd     : type=1400 audit(0.0:840): avc: denied { read } for name="cmdline" dev="proc" ino=4026539750 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
01-05 07:34:02.300  9485  9485 I cbd     : type=1400 audit(0.0:840): avc: denied { open } for path="/proc/cmdline" dev="proc" ino=4026539750 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
01-05 07:35:00.070  9528  9528 I cbd     : type=1400 audit(0.0:841): avc: denied { read } for name="stat" dev="proc" ino=4026539757 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=1
01-05 07:35:00.070  9528  9528 I cbd     : type=1400 audit(0.0:841): avc: denied { open } for path="/proc/stat" dev="proc" ino=4026539757 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=1
01-05 07:35:00.070  9528  9528 I cbd     : type=1400 audit(0.0:842): avc: denied { getattr } for path="/proc/stat" dev="proc" ino=4026539757 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=1
01-05 07:36:58.770  9596  9596 I cbd     : type=1400 audit(0.0:859): avc: denied { read } for name="mmcblk0p14" dev="tmpfs" ino=5584 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:radio_block_device:s0 tclass=blk_file permissive=1
01-05 07:36:58.770  9596  9596 I cbd     : type=1400 audit(0.0:859): avc: denied { open } for path="/dev/block/mmcblk0p14" dev="tmpfs" ino=5584 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:radio_block_device:s0 tclass=blk_file permissive=1
01-05 07:48:49.490  9979  9979 I rild    : type=1400 audit(0.0:910): avc: denied { write } for name="trace_marker" dev="debugfs" ino=2063 scontext=u:r:rild:s0 tcontext=u:object_r:debugfs:s0 tclass=file permissive=1
01-05 07:48:49.490  9979  9979 I rild    : type=1400 audit(0.0:910): avc: denied { open } for path="/sys/kernel/debug/tracing/trace_marker" dev="debugfs" ino=2063 scontext=u:r:rild:s0 tcontext=u:object_r:debugfs:s0 tclass=file permissive=1
01-05 07:48:51.040  9978  9978 I cbd     : type=1400 audit(0.0:911): avc: denied { read write } for name="umts_boot0" dev="tmpfs" ino=7202 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:mif_device:s0 tclass=chr_file permissive=1
01-05 07:48:51.040  9978  9978 I cbd     : type=1400 audit(0.0:911): avc: denied { open } for path="/dev/umts_boot0" dev="tmpfs" ino=7202 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:mif_device:s0 tclass=chr_file permissive=1
01-05 07:48:51.050  9978  9978 I cbd     : type=1400 audit(0.0:913): avc: denied { ioctl } for path="/dev/umts_boot0" dev="tmpfs" ino=7202 ioctlcmd=6f45 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:mif_device:s0 tclass=chr_file permissive=1
01-05 07:50:48.540 10049 10049 I cbd     : type=1400 audit(0.0:915): avc: denied { read } for name="nv_data.bin" dev="mmcblk0p3" ino=32 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:bin_nv_data_efs_file:s0 tclass=file permissive=1
01-05 07:50:48.540 10049 10049 I cbd     : type=1400 audit(0.0:915): avc: denied { open } for path="/efs/nv_data.bin" dev="mmcblk0p3" ino=32 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:bin_nv_data_efs_file:s0 tclass=file permissive=1
01-05 07:52:19.750  2303  2303 I rild    : type=1400 audit(0.0:917): avc: denied { write } for name="hall_irq_ctrl" dev="sysfs" ino=16112 scontext=u:r:rild:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
01-05 08:08:56.930  2281  2281 I gpsd    : type=1400 audit(0.0:1004): avc: denied { write } for name="fwmarkd" dev="tmpfs" ino=900 scontext=u:r:init:s0 tcontext=u:object_r:fwmarkd_socket:s0 tclass=sock_file permissive=1
01-05 08:08:56.930  2281  2281 I gpsd    : type=1400 audit(0.0:1004): avc: denied { connectto } for path="/dev/socket/fwmarkd" scontext=u:r:init:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket permissive=1
01-05 08:08:56.930  2245  2245 I netd    : type=1400 audit(0.0:1005): avc: denied { read write } for path="socket:[129501]" dev="sockfs" ino=129501 scontext=u:r:netd:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
01-05 08:08:56.930  2245  2245 I netd    : type=1400 audit(0.0:1006): avc: denied { getopt } for scontext=u:r:netd:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
01-05 08:08:56.930  2245  2245 I netd    : type=1400 audit(0.0:1007): avc: denied { setopt } for scontext=u:r:netd:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
ghost commented 6 years ago

There is some debugfs, I can fix the others, but most of *-fs will be boring to fix

Stricted commented 6 years ago

i just copied all occuring denials out of an 3hour log to have a list of it but to be fair that not much that gets denials

ghost commented 6 years ago

Here is the fix : I didn't tested it

In init.te : allow init init:tcp_socket { create bind write read }; allow init port:tcp_socket name_bind; allow init node:tcp_socket node_bind; allow init uart_device:chr_file { write ioctl getattr }; allow init fwmarkd_socket:sock_file write; allow init netd:unix_stream_socket connectto;

In zygote.te : allow zygote debugfs:file { write open };

In cpboot-daemon.te : allow cpboot-daemon properties_device:dir { read open }; allow cpboot-daemon proc:file { read open }; allow cpboot-daemon proc_stat:file { read open getattr }; allow cpboot-daemon radio_block_device:blk_file { open write }; allow cpboot-daemon mif_device:chr_file { open read write ioctl };

In rild.te : allow rild debugfs:file { write open }; allow rild sysfs:file write;

In netd.te : allow netd init:tcp_socket { read write getopt setopt };

Stricted commented 6 years ago

i will test that later

Stricted commented 6 years ago 
neverallow check failed at /home/buildtest/android/lineage-15.1/out/target/product/s5neoltexx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:2708
  (neverallow base_typeattr_63_27_0 debugfs_27_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
    <root>
    allow at /home/buildtest/android/lineage-15.1/out/target/product/s5neoltexx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6430
      (allow rild_27_0 debugfs_27_0 (file (write open)))
    <root>
    allow at /home/buildtest/android/lineage-15.1/out/target/product/s5neoltexx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6571
      (allow zygote_27_0 debugfs_27_0 (file (write open)))

neverallow check failed at /home/buildtest/android/lineage-15.1/out/target/product/s5neoltexx/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4649 from system/sepolicy/public/domain.te:1003
  (neverallow base_typeattr_63 debugfs (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
    <root>
    allow at /home/buildtest/android/lineage-15.1/out/target/product/s5neoltexx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6430
      (allow rild_27_0 debugfs_27_0 (file (write open)))
    <root>
    allow at /home/buildtest/android/lineage-15.1/out/target/product/s5neoltexx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6571
      (allow zygote_27_0 debugfs_27_0 (file (write open)))

i really hate selinux

ghost commented 6 years ago

It's debugfs, i'll build+fix tomorrow, but debugfs will surely need patch in kernel

ghost commented 6 years ago

Fixed. Only zygote and rild debugfs aren't passed, they are neverallow, so no fix for this actually

Stricted commented 6 years ago

if its neverallow we can safely ignore them i guess thanks for your work on this

Stricted commented 6 years ago

ill reopen here i gave i another go and this are the current denials (i striped out all debugfs denials and duplicates)

01-09 05:31:05.039  1481  1481 I auditd  : type=1400 audit(0.0:14): avc: denied { relabelto } for comm="ueventd" name="camera" dev="sysfs" ino=11183 scontext=u:r:ueventd:s0 tcontext=u:object_r:camera_device:s0 tclass=dir permissive=
01-09 05:31:05.039  1481  1481 I auditd  : type=1400 audit(0.0:15): avc: denied { relabelto } for comm="ueventd" name="subsystem" dev="sysfs" ino=11202 scontext=u:r:ueventd:s0 tcontext=u:object_r:camera_device:s0 tclass=lnk_file permissive=
01-09 05:31:05.559  2242  2242 I auditd  : type=1400 audit(0.0:20): avc: denied { execute_no_trans } for comm="init" path="/system/vendor/bin/macloader" dev="mmcblk0p20" ino=2204 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=
01-09 05:31:05.559  2241  2241 I auditd  : type=1400 audit(0.0:21): avc: denied { read } for comm="sgdisk" name="online" dev="sysfs" ino=34 scontext=u:r:sgdisk:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:05.559  2241  2241 I auditd  : type=1400 audit(0.0:21): avc: denied { open } for comm="sgdisk" path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:sgdisk:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:05.559  2241  2241 I auditd  : type=1400 audit(0.0:22): avc: denied { getattr } for comm="sgdisk" path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:sgdisk:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:05.579  2243  2243 I auditd  : type=1400 audit(0.0:23): avc: denied { execute_no_trans } for comm="init" path="/system/bin/sysinit" dev="mmcblk0p20" ino=428 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=
01-09 05:31:05.669  2255  2255 I auditd  : type=1400 audit(0.0:24): avc: denied { read } for comm="sswap" name="__properties__" dev="tmpfs" ino=7174 scontext=u:r:sswap:s0 tcontext=u:object_r:properties_device:s0 tclass=dir permissive=
01-09 05:31:05.669  2255  2255 I auditd  : type=1400 audit(0.0:24): avc: denied { open } for comm="sswap" path="/dev/__properties__" dev="tmpfs" ino=7174 scontext=u:r:sswap:s0 tcontext=u:object_r:properties_device:s0 tclass=dir permissive=
01-09 05:31:05.669  2255  2255 I auditd  : type=1400 audit(0.0:25): avc: denied { read } for comm="sswap" name="stat" dev="proc" ino=4026539757 scontext=u:r:sswap:s0 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=
01-09 05:31:05.669  2255  2255 I auditd  : type=1400 audit(0.0:25): avc: denied { open } for comm="sswap" path="/proc/stat" dev="proc" ino=4026539757 scontext=u:r:sswap:s0 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=
01-09 05:31:05.669  2255  2255 I auditd  : type=1400 audit(0.0:26): avc: denied { getattr } for comm="sswap" path="/proc/stat" dev="proc" ino=4026539757 scontext=u:r:sswap:s0 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=
01-09 05:31:06.659  2284  2284 I auditd  : type=1400 audit(0.0:122): avc: denied { search } for comm="cameraserver" name="camera" dev="sysfs" ino=11183 scontext=u:r:cameraserver:s0 tcontext=u:object_r:camera_device:s0 tclass=dir permissive=
01-09 05:31:06.669  2280  2280 I auditd  : type=1400 audit(0.0:123): avc: denied { lock } for comm="gpsd" path="/data/system/gps/.gpsd.lock" dev="mmcblk0p23" ino=243846 scontext=u:r:init:s0 tcontext=u:object_r:gps_data_file:s0 tclass=file permissive=
01-09 05:31:07.219  2434  2434 I auditd  : type=1400 audit(0.0:125): avc: denied { read } for comm="crash_dump32" name="online" dev="sysfs" ino=34 scontext=u:r:crash_dump:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:07.219  2434  2434 I auditd  : type=1400 audit(0.0:125): avc: denied { open } for comm="crash_dump32" path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:crash_dump:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:07.219  2434  2434 I auditd  : type=1400 audit(0.0:126): avc: denied { getattr } for comm="crash_dump32" path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:crash_dump:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:13.679  2280  2280 I auditd  : type=1400 audit(0.0:188): avc: denied { connectto } for comm="gpsd" path=004D756C7469636C69656E74 scontext=u:r:init:s0 tcontext=u:r:rild:s0 tclass=unix_stream_socket permissive=
01-09 05:31:13.679  2280  2280 I gpsd    : type=1400 audit(0.0:188): avc: denied { connectto } for path=004D756C7469636C69656E74 scontext=u:r:init:s0 tcontext=u:r:rild:s0 tclass=unix_stream_socket permissive=
01-09 05:31:13.679  2299  2299 I auditd  : type=1400 audit(0.0:189): avc: denied { search } for comm="rild" name="2280" dev="proc" ino=8531 scontext=u:r:rild:s0 tcontext=u:r:init:s0 tclass=dir permissive=
01-09 05:31:13.679  2299  2299 I rild    : type=1400 audit(0.0:189): avc: denied { search } for name="2280" dev="proc" ino=8531 scontext=u:r:rild:s0 tcontext=u:r:init:s0 tclass=dir permissive=
01-09 05:31:13.679  2299  2299 I auditd  : type=1400 audit(0.0:189): avc: denied { read } for comm="rild" name="cmdline" dev="proc" ino=11527 scontext=u:r:rild:s0 tcontext=u:r:init:s0 tclass=file permissive=
01-09 05:31:13.679  2299  2299 I rild    : type=1400 audit(0.0:189): avc: denied { read } for name="cmdline" dev="proc" ino=11527 scontext=u:r:rild:s0 tcontext=u:r:init:s0 tclass=file permissive=
01-09 05:31:13.679  2299  2299 I auditd  : type=1400 audit(0.0:189): avc: denied { open } for comm="rild" path="/proc/2280/cmdline" dev="proc" ino=11527 scontext=u:r:rild:s0 tcontext=u:r:init:s0 tclass=file permissive=
01-09 05:31:13.679  2299  2299 I rild    : type=1400 audit(0.0:189): avc: denied { open } for path="/proc/2280/cmdline" dev="proc" ino=11527 scontext=u:r:rild:s0 tcontext=u:r:init:s0 tclass=file permissive=
01-09 05:31:13.679  2299  2299 I auditd  : type=1400 audit(0.0:190): avc: denied { getattr } for comm="rild" path="/proc/2280/cmdline" dev="proc" ino=11527 scontext=u:r:rild:s0 tcontext=u:r:init:s0 tclass=file permissive=
01-09 05:31:13.679  2299  2299 I rild    : type=1400 audit(0.0:190): avc: denied { getattr } for path="/proc/2280/cmdline" dev="proc" ino=11527 scontext=u:r:rild:s0 tcontext=u:r:init:s0 tclass=file permissive=
01-09 05:31:21.919  2444  2444 I auditd  : type=1400 audit(0.0:194): avc: denied { create } for comm="main" name="tasks" scontext=u:r:zygote:s0 tcontext=u:object_r:cgroup:s0 tclass=file permissive=
01-09 05:31:21.919  2444  2444 I main    : type=1400 audit(0.0:194): avc: denied { create } for name="tasks" scontext=u:r:zygote:s0 tcontext=u:object_r:cgroup:s0 tclass=file permissive=
01-09 05:31:21.989  2518  2518 I auditd  : type=1400 audit(0.0:195): avc: denied { execute } for comm="system_server" path="/data/dalvik-cache/arm/system@framework@org.lineageos.platform.jar@classes.dex" dev="mmcblk0p23" ino=65030 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file permissive=
01-09 05:31:36.969  2600  2600 I auditd  : type=1400 audit(0.0:197): avc: denied { read } for comm="idmap" name="online" dev="sysfs" ino=34 scontext=u:r:idmap:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:36.969  2600  2600 I idmap   : type=1400 audit(0.0:197): avc: denied { read } for name="online" dev="sysfs" ino=34 scontext=u:r:idmap:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:36.969  2600  2600 I auditd  : type=1400 audit(0.0:197): avc: denied { open } for comm="idmap" path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:idmap:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:36.969  2600  2600 I idmap   : type=1400 audit(0.0:197): avc: denied { open } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:idmap:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:36.969  2600  2600 I auditd  : type=1400 audit(0.0:198): avc: denied { getattr } for comm="idmap" path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:idmap:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:36.969  2600  2600 I idmap   : type=1400 audit(0.0:198): avc: denied { getattr } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:idmap:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:39.219  2257  2257 I auditd  : type=1400 audit(0.0:200): avc: denied { write } for comm="lmkd" name="minfree" dev="sysfs" ino=2429 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:39.219  2257  2257 I lmkd    : type=1400 audit(0.0:200): avc: denied { write } for name="minfree" dev="sysfs" ino=2429 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:43.059  2609  2609 I auditd  : type=1400 audit(0.0:201): avc: denied { read } for comm="cbd" name="mmcblk0p14" dev="tmpfs" ino=2283 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:radio_block_device:s0 tclass=blk_file permissive=
01-09 05:31:43.059  2609  2609 I cbd     : type=1400 audit(0.0:201): avc: denied { read } for name="mmcblk0p14" dev="tmpfs" ino=2283 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:radio_block_device:s0 tclass=blk_file permissive=
01-09 05:31:43.059  2609  2609 I auditd  : type=1400 audit(0.0:202): avc: denied { read } for comm="cbd" name="nv_data.bin" dev="mmcblk0p3" ino=32 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:bin_nv_data_efs_file:s0 tclass=file permissive=
01-09 05:31:43.059  2609  2609 I cbd     : type=1400 audit(0.0:202): avc: denied { read } for name="nv_data.bin" dev="mmcblk0p3" ino=32 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:bin_nv_data_efs_file:s0 tclass=file permissive=
01-09 05:31:43.059  2609  2609 I auditd  : type=1400 audit(0.0:202): avc: denied { open } for comm="cbd" path="/efs/nv_data.bin" dev="mmcblk0p3" ino=32 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:bin_nv_data_efs_file:s0 tclass=file permissive=
01-09 05:31:43.059  2609  2609 I cbd     : type=1400 audit(0.0:202): avc: denied { open } for path="/efs/nv_data.bin" dev="mmcblk0p3" ino=32 scontext=u:r:cpboot-daemon:s0 tcontext=u:object_r:bin_nv_data_efs_file:s0 tclass=file permissive=
01-09 05:31:45.809  2253  2253 I auditd  : type=1400 audit(0.0:203): avc: denied { read } for comm="android.hardwar" name=".wifiver.info" dev="mmcblk0p23" ino=11 scontext=u:r:hal_wifi_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=
01-09 05:31:45.809  2253  2253 I android.hardwar: type=1400 audit(0.0:203): avc: denied { read } for name=".wifiver.info" dev="mmcblk0p23" ino=11 scontext=u:r:hal_wifi_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=
01-09 05:31:45.809  2253  2253 I auditd  : type=1400 audit(0.0:203): avc: denied { open } for comm="android.hardwar" path="/data/.wifiver.info" dev="mmcblk0p23" ino=11 scontext=u:r:hal_wifi_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=
01-09 05:31:45.809  2253  2253 I android.hardwar: type=1400 audit(0.0:203): avc: denied { open } for path="/data/.wifiver.info" dev="mmcblk0p23" ino=11 scontext=u:r:hal_wifi_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=
01-09 05:31:45.809  2253  2253 I auditd  : type=1400 audit(0.0:203): avc: denied { write } for comm="android.hardwar" name=".wifiver.info" dev="mmcblk0p23" ino=11 scontext=u:r:hal_wifi_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=
01-09 05:31:45.809  2253  2253 I android.hardwar: type=1400 audit(0.0:203): avc: denied { write } for name=".wifiver.info" dev="mmcblk0p23" ino=11 scontext=u:r:hal_wifi_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=
01-09 05:31:47.139  2694  2694 I sgdisk  : type=1400 audit(0.0:206): avc: denied { read } for name="online" dev="sysfs" ino=34 scontext=u:r:sgdisk:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:47.139  2694  2694 I sgdisk  : type=1400 audit(0.0:206): avc: denied { open } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:sgdisk:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:47.139  2694  2694 I sgdisk  : type=1400 audit(0.0:207): avc: denied { getattr } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:sgdisk:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:47.399  2736  2736 I auditd  : type=1400 audit(0.0:208): avc: denied { read } for comm="sh" name="online" dev="sysfs" ino=34 scontext=u:r:blkid_untrusted:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:47.399  2736  2736 I sh      : type=1400 audit(0.0:208): avc: denied { read } for name="online" dev="sysfs" ino=34 scontext=u:r:blkid_untrusted:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:47.399  2736  2736 I auditd  : type=1400 audit(0.0:208): avc: denied { open } for comm="sh" path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:blkid_untrusted:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:47.399  2736  2736 I sh      : type=1400 audit(0.0:208): avc: denied { open } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:blkid_untrusted:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:47.399  2736  2736 I auditd  : type=1400 audit(0.0:209): avc: denied { getattr } for comm="sh" path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:blkid_untrusted:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:47.399  2736  2736 I sh      : type=1400 audit(0.0:209): avc: denied { getattr } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:blkid_untrusted:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=
01-09 05:31:48.349  2280  2280 I auditd  : type=1400 audit(0.0:234): avc: denied { write } for comm="gpsd" name=".gps.interface.pipe.to_jni" dev="mmcblk0p23" ino=243872 scontext=u:r:init:s0 tcontext=u:object_r:gps_data_file:s0 tclass=fifo_file permissive=
01-09 05:31:48.349  2280  2280 I gpsd    : type=1400 audit(0.0:234): avc: denied { write } for name=".gps.interface.pipe.to_jni" dev="mmcblk0p23" ino=243872 scontext=u:r:init:s0 tcontext=u:object_r:gps_data_file:s0 tclass=fifo_file permissive=
01-09 05:31:49.659  2518  2518 I auditd  : type=1400 audit(0.0:236): avc: denied { execute } for comm="system_server" path="/data/dalvik-cache/arm/system@framework@com.android.location.provider.jar@classes.dex" dev="mmcblk0p23" ino=65040 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file permissive=
01-09 05:31:49.659  2518  2518 I system_server: type=1400 audit(0.0:236): avc: denied { execute } for path="/data/dalvik-cache/arm/system@framework@com.android.location.provider.jar@classes.dex" dev="mmcblk0p23" ino=65040 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file permissive=
01-09 05:32:06.659  2280  2280 I auditd  : type=1400 audit(0.0:250): avc: denied { write } for comm="gpsd" name="dnsproxyd" dev="tmpfs" ino=1489 scontext=u:r:init:s0 tcontext=u:object_r:dnsproxyd_socket:s0 tclass=sock_file permissive=
01-09 05:32:06.659  2280  2280 I gpsd    : type=1400 audit(0.0:250): avc: denied { write } for name="dnsproxyd" dev="tmpfs" ino=1489 scontext=u:r:init:s0 tcontext=u:object_r:dnsproxyd_socket:s0 tclass=sock_file permissive=
01-09 05:32:06.699  2280  2280 I auditd  : type=1400 audit(0.0:251): avc: denied { connect } for comm="gpsd" scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=
01-09 05:32:06.699  2280  2280 I gpsd    : type=1400 audit(0.0:251): avc: denied { connect } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=
01-09 05:32:06.699  2280  2280 I auditd  : type=1400 audit(0.0:251): avc: denied { name_connect } for comm="gpsd" dest=7275 scontext=u:r:init:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=
01-09 05:32:06.699  2280  2280 I gpsd    : type=1400 audit(0.0:251): avc: denied { name_connect } for dest=7275 scontext=u:r:init:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=
01-09 05:32:10.619  2518  2518 I auditd  : type=1400 audit(0.0:257): avc: denied { unlink } for comm="Thread-11" name="log" dev="mmcblk0p21" ino=6403 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=
01-09 05:32:10.619  2518  2518 I Thread-11: type=1400 audit(0.0:257): avc: denied { unlink } for name="log" dev="mmcblk0p21" ino=6403 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=
ghost commented 6 years ago

I'll do it

ghost commented 6 years ago

+60 denials fixed.