SElinux Android message interpretation

Question

I am unable to make sense of this message which I get on my android application. Any experts in the house ?

type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0

Answer 1

The given SELinux violation:

type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0

Below I'll try to give explanation of important parts of above violation:

denied { create } : Operation Permission State : The denied permission that was requested / executed. In this case, it is a create operation. SELinux denying permission to execute create dir / file operation.

name="access_control.new_commit.cv" : Target name : The name of the target (in this case, the file/dir name) which your application, probably, trying to create.

scontext=u:r:untrusted_app:s0 : Source Context : The Source Context for this security violation. This indicates which domain/proces s is trying to execute create functionality. Here, untrusted_app applications are those which are launched by zygote

tcontext=u:object_r:fuse:s0 : Target Context : The security context of the target resource (in this case the file). Here, the source tried to create file in Fuse file system which has been denied.

tclass=fifo_file : Target Class : The class of the target.

In one sentence , SELinux denied the permission to untrusted_app to create the access_control.new_commit.cv file in fuse .

From Google source, check SEPolicy file untrusted_app.te how the permission has been denied.

NB: If you any suggestion with the answer, let me know.

Answer 2

According to Validating SELinux | Android Open Source Project , for message:

type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0

the key info is:

• Action : create
• Actor = scontext = source context : untrusted_app
• Object = tcontext = target context : fuse
  • object_r = object read ?
• Result = tclass = target class : fifo_file =FIFO file
• permissive = permissive mode : 0 -> NOT permissive mode
  • -> is Enforce mode ?

translated to human readable sentence:

untrusted_app want to create a fifo_file for fuse

(But enforce mode of Android SELinux STOP it for no permission, so you see above logcat log info)

Answer 3

I found an interesting page on disecting the "avc : denied" issue here.

https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details

Answer 4

I could add that running audit2allow on the error message will give you a suggestion on how to update the untrusted_app.te file.

Dump dmesg to text file:

dmesg > /sdcard/dmesg.txt

cat dmesg.txt | grep avc | audit2allow 

will give you the following result in this case:

#============= untrusted_app ==============
allow untrusted_app fuse:fifo_file create;

Add this line to untrusted_app.te and rebuild the Android kernel!