I am unable to make sense of this message which I get on my android application. Any experts in the house ?
type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0
The given SELinux violation:
type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0
Below I'll try to give explanation of important parts of above violation:
denied { create }
: Operation Permission State : The denied permission that was requested / executed. In this case, it is a create operation. SELinux denying permission to execute create dir / file operation.
name="access_control.new_commit.cv"
: Target name : The name of the target (in this case, the file/dir name) which your application, probably, trying to create.
scontext=u:r:untrusted_app:s0
: Source Context : The Source Context for this security violation. This indicates which domain/proces s is trying to execute create functionality. Here, untrusted_app
applications are those which are launched by zygote
tcontext=u:object_r:fuse:s0
: Target Context : The security context of the target resource (in this case the file). Here, the source tried to create file in Fuse file system which has been denied.
tclass=fifo_file
: Target Class : The class of the target.
In one sentence , SELinux denied the permission to untrusted_app
to create
the access_control.new_commit.cv
file in fuse
.
From Google source, check SEPolicy file untrusted_app.te how the permission has been denied.
NB: If you any suggestion with the answer, let me know.
According to Validating SELinux | Android Open Source Project , for message:
type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0
the key info is:
Action
: create Actor
= scontext
= source context
: untrusted_app Object
= tcontext
= target context
: fuse
object_r
= object read
? Result
= tclass
= target class
: fifo_file =FIFO file permissive
= permissive mode
: 0 -> NOT permissive mode
translated to human readable sentence:
untrusted_app want to create a fifo_file for fuse
(But enforce mode of Android SELinux STOP it for no permission, so you see above logcat log info)
I found an interesting page on disecting the "avc : denied" issue here.
https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details
I could add that running audit2allow on the error message will give you a suggestion on how to update the untrusted_app.te file.
Dump dmesg to text file:
dmesg > /sdcard/dmesg.txt
cat dmesg.txt | grep avc | audit2allow
will give you the following result in this case:
#============= untrusted_app ==============
allow untrusted_app fuse:fifo_file create;
Add this line to untrusted_app.te and rebuild the Android kernel!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.