SEPolicy build issue

[matobra]

Hi,

I'm building linaro-arm-userdebug with android-7.1.2_r36 and I'm having the following error:

FAILED: /bin/bash -c "(out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/policy.conf ) && (out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates//sepolicy.dontaudit out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/policy.conf.dontaudit ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ \"userdebug\" = \"user\" -a -s out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then        echo \"==========\" 1>&2;       echo \"ERROR: permissive domains not allowed in user builds\" 1>&2;         echo \"List of invalid domains:\" 1>&2;         cat out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2;       exit 1;         fi ) && (mv out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy )"
device/linaro/generic//sepolicy/init-sh.te:3:**ERROR** 'attribute vendor_file_type is not declared' at token ';' on line 21252:
type init-sh_exec, exec_type, vendor_file_type, file_type;
type init-sh, domain;
checkpolicy:  error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/policy.conf

I can overcome this by commenting out the vendor_* related lines in device/linaro/generic/sepolicy/init-sh.te, but when I try to run the resulting images with qemu I'm having SEPolicy issues that may be due to this forced workaround. Here's a snippet of the boot process:

[    3.056575] Freeing unused kernel memory: 2048K
[    3.078497] Run /init as init process
[    3.496801] init: init first stage started!
[    3.576077] SELinux:  Permission validate_trans in class security not defined in policy.
[    3.577231] SELinux:  Permission getrlimit in class process not defined in policy.
[    3.578055] SELinux:  Class process2 not defined in policy.
[    3.578848] SELinux:  Permission map in class file not defined in policy.
[    3.579642] SELinux:  Permission map in class dir not defined in policy.
[    3.580377] SELinux:  Permission map in class lnk_file not defined in policy.
[    3.581144] SELinux:  Permission map in class chr_file not defined in policy.
[    3.581915] SELinux:  Permission map in class blk_file not defined in policy.
[    3.582626] SELinux:  Permission map in class sock_file not defined in policy.
[    3.583434] SELinux:  Permission map in class fifo_file not defined in policy.
[    3.584168] SELinux:  Permission map in class socket not defined in policy.
[    3.584888] SELinux:  Permission map in class tcp_socket not defined in policy.
[    3.586051] SELinux:  Permission map in class udp_socket not defined in policy.
[    3.586883] SELinux:  Permission map in class rawip_socket not defined in policy.
[    3.587526] SELinux:  Permission map in class netlink_socket not defined in policy.
[    3.588154] SELinux:  Permission map in class packet_socket not defined in policy.
[    3.588771] SELinux:  Permission map in class key_socket not defined in policy.
[    3.589369] SELinux:  Permission map in class unix_stream_socket not defined in policy.
[    3.590234] SELinux:  Permission map in class unix_dgram_socket not defined in policy.
[    3.591215] SELinux:  Permission map in class netlink_route_socket not defined in policy.
[    3.592111] SELinux:  Permission map in class netlink_tcpdiag_socket not defined in policy.
[    3.593048] SELinux:  Permission map in class netlink_nflog_socket not defined in policy.
[    3.593922] SELinux:  Permission map in class netlink_xfrm_socket not defined in policy.
[    3.594830] SELinux:  Permission map in class netlink_selinux_socket not defined in policy.
[    3.596374] SELinux:  Permission map in class netlink_iscsi_socket not defined in policy.
[    3.597280] SELinux:  Permission map in class netlink_audit_socket not defined in policy.
[    3.598078] SELinux:  Permission map in class netlink_fib_lookup_socket not defined in policy.
[    3.598883] SELinux:  Permission map in class netlink_connector_socket not defined in policy.
[    3.599496] SELinux:  Permission map in class netlink_netfilter_socket not defined in policy.
[    3.600442] SELinux:  Permission map in class netlink_dnrt_socket not defined in policy.
[    3.601296] SELinux:  Permission map in class netlink_kobject_uevent_socket not defined in policy.
[    3.601987] SELinux:  Permission map in class netlink_generic_socket not defined in policy.
[    3.602738] SELinux:  Permission map in class netlink_scsitransport_socket not defined in policy.
[    3.603600] SELinux:  Permission map in class netlink_rdma_socket not defined in policy.
[    3.604289] SELinux:  Permission map in class netlink_crypto_socket not defined in policy.
[    3.605066] SELinux:  Permission map in class appletalk_socket not defined in policy.
[    3.606920] SELinux:  Permission map in class dccp_socket not defined in policy.
[    3.607410] SELinux:  Permission map in class tun_socket not defined in policy.
[    3.607787] SELinux:  Class cap_userns not defined in policy.
[    3.608098] SELinux:  Class cap2_userns not defined in policy.
[    3.608333] SELinux:  Class sctp_socket not defined in policy.
[    3.608543] SELinux:  Class icmp_socket not defined in policy.
[    3.608751] SELinux:  Class ax25_socket not defined in policy.
[    3.608958] SELinux:  Class ipx_socket not defined in policy.
[    3.609168] SELinux:  Class netrom_socket not defined in policy.
[    3.609497] SELinux:  Class atmpvc_socket not defined in policy.
[    3.609800] SELinux:  Class x25_socket not defined in policy.
[    3.610068] SELinux:  Class rose_socket not defined in policy.
[    3.610406] SELinux:  Class decnet_socket not defined in policy.
[    3.610726] SELinux:  Class atmsvc_socket not defined in policy.
[    3.611050] SELinux:  Class rds_socket not defined in policy.
[    3.611354] SELinux:  Class irda_socket not defined in policy.
[    3.611678] SELinux:  Class pppox_socket not defined in policy.
[    3.612005] SELinux:  Class llc_socket not defined in policy.
[    3.612306] SELinux:  Class can_socket not defined in policy.
[    3.612617] SELinux:  Class tipc_socket not defined in policy.
[    3.612935] SELinux:  Class bluetooth_socket not defined in policy.
[    3.613332] SELinux:  Class iucv_socket not defined in policy.
[    3.613651] SELinux:  Class rxrpc_socket not defined in policy.
[    3.613958] SELinux:  Class isdn_socket not defined in policy.
[    3.614280] SELinux:  Class phonet_socket not defined in policy.
[    3.614604] SELinux:  Class ieee802154_socket not defined in policy.
[    3.614927] SELinux:  Class caif_socket not defined in policy.
[    3.615811] SELinux:  Class alg_socket not defined in policy.
[    3.616145] SELinux:  Class nfc_socket not defined in policy.
[    3.616404] SELinux:  Class vsock_socket not defined in policy.
[    3.616644] SELinux:  Class kcm_socket not defined in policy.
[    3.616894] SELinux:  Class qipcrtr_socket not defined in policy.
[    3.617147] SELinux:  Class smc_socket not defined in policy.
[    3.617399] SELinux:  Class infiniband_pkey not defined in policy.
[    3.617664] SELinux:  Class infiniband_endport not defined in policy.
[    3.617933] SELinux:  Class bpf not defined in policy.
[    3.618163] SELinux:  Class xdp_socket not defined in policy.
[    3.618460] SELinux: the above unknown classes and permissions will be denied
[    3.619298] SELinux:  policy capability network_peer_controls=1
[    3.619594] SELinux:  policy capability open_perms=1
[    3.619815] SELinux:  policy capability extended_socket_class=0
[    3.620080] SELinux:  policy capability always_check_network=0
[    3.620328] SELinux:  policy capability cgroup_seclabel=0
[    3.620562] SELinux:  policy capability nnp_nosuid_transition=0
[    3.780787] audit: type=1403 audit(1538556036.540:2): auid=4294967295 ses=4294967295 lsm=selinux res=1
[    3.821932] init: (Initializing SELinux non-enforcing took 0.32s.)
[    3.841183] audit: type=1400 audit(1538556036.600:3): avc:  denied  { map } for  pid=1 comm="init" path="/file_contexts.bin" dev="rootfs" ino=4966 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
[    3.902253] audit: type=1400 audit(1538556036.660:4): avc:  denied  { map } for  pid=1 comm="init" path="/init" dev="rootfs" ino=4968 scontext=u:r:init:s0 tcontext=u:object_r:init_exec:s0 tclass=file permissive=1
[    3.949475] init: init second stage started!
[    3.968878] audit: type=1400 audit(1538556036.730:5): avc:  denied  { map } for  pid=1 comm="init" path="/dev/__properties__/u:object_r:opengles_prop:s0" dev="tmpfs" ino=5465 scontext=u:r:init:s0 tcontext=u:object_r:opengles_prop:s0 tclass=file permissive=1
[    3.974451] audit: type=1400 audit(1538556036.730:6): avc:  denied  { map } for  pid=1 comm="init" path="/dev/__properties__/u:object_r:radio_noril_prop:s0" dev="tmpfs" ino=5466 scontext=u:r:init:s0 tcontext=u:object_r:radio_noril_prop:s0 tclass=file permissive=1
[    3.977571] audit: type=1400 audit(1538556036.740:7): avc:  denied  { map } for  pid=1 comm="init" path="/dev/__properties__/u:object_r:qemu_prop:s0" dev="tmpfs" ino=5467 scontext=u:r:init:s0 tcontext=u:object_r:qemu_prop:s0 tclass=file permissive=1
[    3.979872] audit: type=1400 audit(1538556036.740:8): avc:  denied  { map } for  pid=1 comm="init" path="/dev/__properties__/u:object_r:dalvik_prop:s0" dev="tmpfs" ino=5468 scontext=u:r:init:s0 tcontext=u:object_r:dalvik_prop:s0 tclass=file permissive=1
[    3.982144] audit: type=1400 audit(1538556036.740:9): avc:  denied  { map } for  pid=1 comm="init" path="/dev/__properties__/u:object_r:config_prop:s0" dev="tmpfs" ino=5469 scontext=u:r:init:s0 tcontext=u:object_r:config_prop:s0 tclass=file permissive=1
[    3.984765] audit: type=1400 audit(1538556036.740:10): avc:  denied  { map } for  pid=1 comm="init" path="/dev/__properties__/u:object_r:nfc_prop:s0" dev="tmpfs" ino=5470 scontext=u:r:init:s0 tcontext=u:object_r:nfc_prop:s0 tclass=file permissive=1
[    4.103766] init: Running restorecon...
[    4.493090] init: waitpid failed: No child processes
[    4.500144] init: (Loading properties from /default.prop took 0.01s.)
[    4.578983] init: (Parsing /init.environ.rc took 0.00s.)
[    4.590725] init: (Parsing /init.usb.rc took 0.01s.)
[    4.594029] init: (Parsing /init.unknown.rc took 0.00s.)
[    4.608825] init: (Parsing /init.usb.configfs.rc took 0.01s.)
[    4.612636] init: (Parsing /init.zygote32.rc took 0.00s.)
[    4.613439] init: (Parsing /init.rc took 0.08s.)
[    4.712206] ueventd: ueventd started!
[    6.503184] kauditd_printk_skb: 36 callbacks suppressed
[    6.503535] audit: type=1400 audit(1538556039.260:47): avc:  denied  { write } for  pid=1 comm="init" name="cpu" dev="proc" ino=4026531922 scontext=u:r:init:s0 tcontext=u:object_r:proc:s0 tclass=dir permissive=1
[    6.516575] audit: type=1400 audit(1538556039.260:48): avc:  denied  { add_name } for  pid=1 comm="init" name="alignment" scontext=u:r:init:s0 tcontext=u:object_r:proc:s0 tclass=dir permissive=1
[    6.517649] audit: type=1400 audit(1538556039.280:49): avc:  denied  { create } for  pid=1 comm="init" name="alignment" scontext=u:r:init:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
[    6.729283] audit: type=1400 audit(1538556039.490:50): avc:  denied  { create } for  pid=1 comm="init" name="cpu.rt_period_us" scontext=u:r:init:s0 tcontext=u:object_r:cgroup:s0 tclass=file permissive=1
[    6.786755] audit: type=1400 audit(1538556039.550:51): avc:  denied  { module_request } for  pid=1 comm="init" kmod="fs-cpuset" scontext=u:r:init:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1
[    7.917265] audit: type=1400 audit(1538556040.680:52): avc:  denied  { map } for  pid=66 comm="healthd" path="/sbin/healthd" dev="rootfs" ino=4981 scontext=u:r:healthd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
[    8.051816] audit: type=1400 audit(1538556040.810:53): avc:  denied  { map } for  pid=67 comm="adbd" path="/sbin/adbd" dev="rootfs" ino=4980 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
[    8.115873] audit: type=1400 audit(1538556040.870:54): avc:  denied  { map } for  pid=66 comm="healthd" path="/dev/__properties__/properties_serial" dev="tmpfs" ino=5500 scontext=u:r:healthd:s0 tcontext=u:object_r:properties_serial:s0 tclass=file permissive=1
[    8.194399] audit: type=1400 audit(1538556040.950:55): avc:  denied  { map } for  pid=66 comm="healthd" path="/dev/binder" dev="tmpfs" ino=5542 scontext=u:r:healthd:s0 tcontext=u:object_r:binder_device:s0 tclass=chr_file permissive=1
[    8.205283] binder: 66:66 transaction failed 29189/-22, size 0-0 line 2855
[    8.255899] audit: type=1400 audit(1538556041.010:56): avc:  denied  { map } for  pid=67 comm="adbd" path="/dev/__properties__/properties_serial" dev="tmpfs" ino=5500 scontext=u:r:adbd:s0 tcontext=u:object_r:properties_serial:s0 tclass=file permissive=1
[    9.231615] binder: 66:66 transaction failed 29189/-22, size 0-0 line 2855
[    9.270079] ueventd: Coldboot took 4.52s.
[   10.235870] binder: 66:66 transaction failed 29189/-22, size 0-0 line 2855
[   11.237537] binder: 66:66 transaction failed 29189/-22, size 0-0 line 2855
[   12.238884] binder: 66:66 transaction failed 29189/-22, size 0-0 line 2855

Basically at the end of the boot process I get this binder message over and over and nothing is displayed in the emulator.

Any ideas?

[casiphia]

Hello, I have encountered the same problem as you. How can I solve it?

[s1a1g1e1r1t]

You need to look at your working device in /system/etc/selinux files plat_property_context , plat_seapp_context , plat_sepolicy_cill , plat_service_context

[lubinsz]

@matobra Hi, did you fix it? Thanks.

[s1a1g1e1r1t]

Only guesses.