jhshi
commented
8 years ago Me neither a SELinux expert, we're in the same boat here. Here's some good tutorials I found online to help understand the avc denied message. It's basically just a trial-and-error process. Definitely push this to develop branch after you tested it.
https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details
shaseley
I discovered SELinux is blocking
kmsgdfrom running. In Lollipop, we were able to get away without creating a domain and policy forkmsgd, but it looks like we aren't now.Here is a snippet from
dmesg:[ 5.569108] type=1400 audit(2439641.239:5): avc: denied { syslog } for pid=390 comm="kmsgd" capability=34 scontext=u:r:kmsgd:s0 tcontext=u:r:kmsgd:s0 tclass=capability2 permissive=0[ 5.569390] init: Service 'kmsgd' (pid 390) exited with status 255[ 5.569410] init: Service 'kmsgd' (pid 390) killing any children in process group[ 5.584574] type=1400 audit(2439641.239:6): avc: denied { sys_admin } for pid=390 comm="kmsgd" capability=21 scontext=u:r:kmsgd:s0 tcontext=u:r:kmsgd:s0 tclass=capability permissive=0After fixing these, the following occurs:
[ 10.918196] init: Starting service 'kmsgd'...[ 10.926122] type=1400 audit(1471311434.029:8): avc: denied { syslog_mod } for pid=915 comm="kmsgd" scontext=u:r:kmsgd:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0[ 10.926992] init: Service 'kmsgd' (pid 915) exited with status 255[ 10.927013] init: Service 'kmsgd' (pid 915) killing any children in process groupI found this running a modified system while working on porting the tracing infrastructure. However, I also verified the finding on Guru's device that I believe was running the latest.
I think the right fix is to modify
device/moto/shamu/sepolicy/, which I have done and tested. Jinghao - I can push the fix to either develop or a new branch; you may want to look it over as I'm not an SELinux expert by any means.