[BUG] Latest Version: Selinux issue + Magisk S10+ [G975F] | Can't use EdXposed

[mundicristal]

The problem: Magisk (latest canary version) is not working properly, I'm getting this error (avc: denied {search} for pid = 5401 [org.meowcat.edxposed.manager]) when using the EdXposed app (latest canary version). Apparently the selinux rule is not working and I am getting the error "Denied" when trying to use the EdXposed app.

Sepolicy:

allow system_server system_server process execmem
allow system_server system_server memprotect mmap_zero
allow coredomain coredomain process execmem
allow coredomain app_data_file * *
attradd {system_app platform_app} mlstrustedsubject
allow zygote apk_data_file * *

Magisk Version: Magisk: Latest dc5e78e1 (21006) Canary Magisk Manager: Latest 2739d3cb (313) (13)

Magisk Modules: Riru - Core v21.3 Riru - EdXposed Latest v0.5.0.6 (4564) YAHFA Canary SELinux Permissive v2 (Tested with enabled and disabled) Busybox for Android NDK (Tested with enabled and disabled) Systemless Hosts (Tested with enabled and disabled)

EdXposed Manager: Version: Latest v4.5.7 (45700)

EdXposed Modules: HiddenCore Module (Removed for test) NFC Catch-All-Routing

Android 10 Q API 29

EdXposed Error: 11-11 12:21:47.648 5401 5401 E EdXposed-Bridge: Cannot load any modules because /data/user_de/0/org.meowcat.edxposed.manager/conf/modules.list was not found

Logcat Error: 11-11 12:21:47.648 5261 5261 E audit : type=1400 audit(1605108107.643:3910): avc: denied { search } for pid=5401 comm="main" name="org.meowcat.edxposed.manager" dev="sda31" ino=3342841 scontext=u:r:zygote:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0 SEPF_SM-G975F_10_0020 audit_filtered

Logcat.txt: https://drive.google.com/file/d/1KhBDA_rjWasosh5EmoQAr6eRqdzjnW02/view?usp=sharing Magisk.log: https://drive.google.com/file/d/17osteU-EpUb4fDyB8JD7MNtE7qjnXHWG/view?usp=sharing

[incapdns]

Here is also the same problem, I'm using virtual machine (Emulator)

[mundicristal]

Here is also the same problem, I'm using virtual machine (Emulator)

I'm using the S10 Plus (G975F) and this error is quite difficult to solve, I'm searching how to solve the problem. :((

Important: I can’t set selinux to permissive (disable selinux entirely: setenforce 0) because Samsung restricted it.

[wangdaning]

Switch to the alpha edxposed, canary is not tested or meant to be used normally.

[mundicristal]

I switched to alpha version and the problem remains.

Note: The error is related to supolicy (magisk policy) not working

avc: denied { search } for pid=5401 comm="main" name="org.meowcat.edxposed.manager" dev="sda31" ino=3342841 scontext=u:r:zygote:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir

scontext: zygote tcontext: app_data_file tclass: dir permission: { search }

Selinux: supolicy --live "allow zygote app_data_file "

Expected result: Equivalent to "permissive zygote" or "fully allow zygote app_data_file" Result obtained: avc denied { search }

[mundicristal]

I already tried: supolicy --live "allow zygote app_data_file dir { search, read, write, getattr }" ...etc

[vvb2060]

Loading custom sepolicy patch not found in your magisk.log.

[mundicristal]

Loading custom sepolicy patch não encontrado em seu magisk.log.

So, this is weird, I ran "magiskpolicy --live" and also "supolicy --live". I'm afraid there is some limitation in the Samsung kernel, as the policy I created is not being validated.

Important: After installing LineageOS + Magisk or another ROM it works normally (supolicy ok)

[mundicristal]

I will be closing this problem because I updated the ROM and I cannot continue with the Ticket, but then I recommend checking this bug (I think it is a limitation on the Samsung S10 + G975F stock rom)

[kotori2]

It's such a weird bug and really hard to reproduce. I have this issue on x86 emulator but it disappeared as I changed the update-binary. It seems lots of ppl have this bug with EdXposed. #3460

[Didgeridoohan]

@kotori2 What to do mean when you say that you changed the update-binary?

[kotori2]

@Didgeridoohan https://github.com/ElderDrivers/EdXposed/pull/623/commits/493dd0446ac749269ef3ac0ecb617b2e510b2f32

[Didgeridoohan]

@kotori2 Thank you. So in other words, not a Magisk issue but the EdXposed module that needs to be updated.

[kotori2]

@Didgeridoohan I mean this issue was not solved by simply upgrading update-binary. The author of this issue tried my patch and didn't work.

[mundicristal]

@kotori2 Thank you. So in other words, not a Magisk issue but the EdXposed module that needs to be updated.

No, the problem is not due to the EdXposed module (because the patch has already been applied).

I get the error "avc: denied {search}" even by manually applying the terminal (or via adb shell) supolicy --live "allow zygote apk_data_file ", that is: Even if there is an error in the EdXposed binary because the change that I applied using supolicy --live and --apply sepolicy.rule didn't work?

I am afraid it is something related to Samsung phones, because after updating the ROM to LineageOS and activating Selinux (Enforcing) EdXposed continued to work correctly.

Remembering that I did the test with permissive selinux and selinux enforcing (setenforce 1), and both worked on the LinageOS ROM

[Didgeridoohan]

@mundicristal Yes, sounds like your issue is likely a Samsung one, and that @kotori2 has a different issue. There's even a similar issue open in the EdXposed repo: https://github.com/ElderDrivers/EdXposed/issues/601 (although there the devices don't even boot).

[kotori2]

Samsung phones doesn't allow live policy and live policy should be removed from EdXposed. Magisk should load sepolicy fine on Samsung phones because i didn't saw anyone reporting Samsung sepolicy bug.

mundicristal notifications@github.com 于 2020年11月13日周五 17:24写道：

@ kotori2 Obrigado. Em outras palavras, não é um problema do Magisk, mas do módulo EdXposed que precisa ser atualizado.

No, the problem is not due to the EdXposed module (because the patch has already been applied).

I get the error "avc: denied {search}" even by manually applying the terminal (or via adb shell) supolicy --live "allow zygote apk_data_file ", that is: Even if there is an error in the EdXposed binary because the change that I applied using supolicy --live and --apply sepolicy.rule didn't work?

I am afraid it is something related to Samsung phones, because after updating the ROM to LineageOS and activating Selinux (Enforcing) EdXposed continued to work correctly.

Remembering that I did the test with permissive selinux and selinux enforcing (setenforce 1), and both worked on the LinageOS ROM

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/topjohnwu/Magisk/issues/3466#issuecomment-726651651, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEGYNSIAVAFWPOVJYNZEHFLSPT3LJANCNFSM4TSFBIZA .

[sn-o-w]

@kotori2 I have tried your update-binary and I'm not sure if really works.

In my logcat I see: **11-12 20:11:39.953 W/dxposed.manager(13847): type=1400 audit(0.0:696): avc: denied { open } for name="xposed" dev="mmcblk0p29" ino=1136 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0 app=org.meowcat.edxposed.manager**

**11-12 20:11:40.813 W/dxposed.manager(13847): type=1400 audit(0.0:697): avc: denied { read } for name="enforce" dev="selinuxfs" ino=4 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=0 app=org.meowcat.edxposed.manager**

I should see these denials if following custom sepolicy rules are applied correctly for my phone?

allow system_server system_server process execmem
allow system_server system_server memprotect mmap_zero
allow coredomain coredomain process execmem
allow coredomain app_data_file * *
attradd {system_app platform_app} mlstrustedsubject
allow zygote apk_data_file * *

I have nothing like avc: denied { search } in my logs, only avc: denied { open } and avc: denied { read }.

Thank you in advance.