- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: Android 7.1 SELinux vdc & sh unlabeled boot fail
Android 7.1 SELinux vdc & sh unlabeled boot fail
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Android 7.1 SELinux vdc & sh unlabeled boot fail
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am porting Android 7.1 to our IMX53 product. I ran into a problem with SELinux that doesn't seem to make sense. The boot log looks like this:
.
.
.
[ 3.506650] Freeing unused kernel memory: 1024K
[ 3.528875] init: init first stage started!
[ 3.553382] SELinux: Permission validate_trans in class security not defined in policy.
[ 3.562534] SELinux: Class cap_userns not defined in policy.
[ 3.568418] SELinux: Class cap2_userns not defined in policy.
[ 3.574269] SELinux: Class bpf not defined in policy.[ 3.579623] SELinux: the above unknown classes and permissions will be denied
[ 3.701006] audit: type=1403 audit(3.689:2): policy loaded auid=4294967295 ses=4294967295
[ 3.712563] audit: type=1404 audit(3.699:3): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
[ 3.745760] init: (Initializing SELinux enforcing took 0.21s.)
[ 3.766315] init: init second stage started!
[ 3.792985] init: Running restorecon...
[ 3.880962] init: waitpid failed: No child processes
[ 3.887834] init: (Loading properties from /default.prop took 0.00s.)
[ 3.903302] init: (Parsing /init.environ.rc took 0.00s.)
[ 3.910929] init: (Parsing /init.usb.rc took 0.00s.)
[ 3.918296] init: (Parsing init.rti.usb.rc took 0.00s.)
[ 3.923605] init: (Parsing /init.rti.rc took 0.01s.)
[ 3.931310] init: (Parsing /init.usb.configfs.rc took 0.00s.)
[ 3.937856] init: (Parsing /init.zygote32.rc took 0.00s.)
[ 3.962443] ueventd: ueventd started!
[ 4.942899] ueventd: Coldboot took 0.97s.
[ 5.078709] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data mode. Opts: (null)
[ 5.139472] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.182104] EXT4-fs (mmcblk0p4): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.493959] audit: type=1400 audit(5.479:4): avc: denied { execute } for pid=110 comm="init" name="vdc" dev="mmcblk0p2" ino=654340 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
[ 5.593161] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 5.607788] audit: type=1400 audit(5.599:5): avc: denied { execute } for pid=112 comm="init" name="sh" dev="mmcblk0p2" ino=654293 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
[ 6.663334] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 7.670798] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 8.678255] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 9.685626] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
.
.
.
As you can see "vdc", and "sh" seem to be missing a label for SELinux. However, I clearly see the label being set in android source under /system/sepolicy/file_contexts:
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/vdc u:object_r:vdc_exec:s0
Further, if I try to provide my own label for these same files in /device/rti/kx10/sepolicy/file_contexts, I get a compile errors:
out/target/product/kx10/obj/ETC/file_contexts.bin_intermediates/file_contexts.concat.tmp: Multiple same specifications for /system/bin/sh.
out/target/product/kx10/obj/ETC/file_contexts.bin_intermediates/file_contexts.concat.tmp: Multiple same specifications for /system/bin/vdc.
So if sh & vdc have a label defined, why does the SELinux audit indicates these files are "unlabeled"???
Because of this error I cannot get a shell started to allow me to use other debug tools (ex. logcat). Does anyone have any ideas, thoughts, or suggestions that might help me proceed??
Thanks in advance,
Eric Nelson
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tim,
Unfortunately I did not. I have since abandon the en devour & gone to a different processor & different BSP. Although I still wish I knew the answer if for no other reason than to learn from it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Eric,
Thank you for your response. My problem results from the SELinux context being dropped by copying a file from the system image when the context from that file isn't understood by the operating system and archiving it into a tarball. Although tar has the 'p' option for preserving permissions for files, it doesn't keep the SELinux context.
With kind regards,
Tim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the suggestion Victor. I changed the linux command line in uboot to androidboot.selinux=disabled. The debug UART during boot now shows selinux set to disabled:
.
.
[ 0.000000] Kernel command line: console=ttymxc1,115200 init=/init androidboot.console=ttymxc1 androidboot.selinux=disabled androidboot.hardware=rti fec_mac=16:25:34:43:52:61
.
.
Later in the boot log when android starts, I see similar (but not identical) behavior. Strangely I still see SeLinux message with "denied", and "permissive=0":
.
.
[ 3.496813] Freeing unused kernel memory: 1024K
[ 3.519002] init: init first stage started!
[ 3.543559] SELinux: Permission validate_trans in class security not defined in policy.
[ 3.552690] SELinux: Class cap_userns not defined in policy.
[ 3.558577] SELinux: Class cap2_userns not defined in policy.
[ 3.564467] SELinux: Class bpf not defined in policy.
[ 3.569671] SELinux: the above unknown classes and permissions will be denied
[ 3.690836] audit: type=1403 audit(3.679:2): policy loaded auid=4294967295 ses=4294967295
[ 3.702339] audit: type=1404 audit(3.689:3): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
[ 3.735700] init: (Initializing SELinux enforcing took 0.21s.)
[ 3.756117] init: init second stage started!
[ 3.782669] init: Running restorecon...
[ 3.871135] init: waitpid failed: No child processes
[ 3.878082] init: (Loading properties from /default.prop took 0.00s.)
[ 3.893401] init: (Parsing /init.environ.rc took 0.00s.)
[ 3.901061] init: (Parsing /init.usb.rc took 0.00s.)
[ 3.908407] init: (Parsing init.rti.usb.rc took 0.00s.)
[ 3.913779] init: (Parsing /init.rti.rc took 0.01s.)
[ 3.921436] init: (Parsing /init.usb.configfs.rc took 0.00s.)
[ 3.928031] init: (Parsing /init.zygote32.rc took 0.00s.)
[ 3.952284] ueventd: ueventd started!
[ 4.933427] ueventd: Coldboot took 0.97s.
[ 5.069612] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data mode. Opts: (null)
[ 5.122878] EXT4-fs (mmcblk0p3): recovery complete
[ 5.132952] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.190442] EXT4-fs (mmcblk0p4): recovery complete
[ 5.198959] EXT4-fs (mmcblk0p4): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.479781] audit: type=1400 audit(5.469:4): avc: denied { execute } for pid=110 comm="init" name="vdc" dev="mmcblk0p2" ino=654340 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
[ 5.598026] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 5.617970] audit: type=1400 audit(5.609:5): avc: denied { execute } for pid=112 comm="init" name="sh" dev="mmcblk0p2" ino=654293 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
[ 6.672095] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 7.679587] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 8.687039] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 9.694341] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 10.682690] init: Starting service 'console'...
[ 10.692087] audit: type=1400 audit(10.679:6): avc: denied { execute } for pid=115 comm="init" name="sh" dev="mmcblk0p2" ino=654293 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
[ 10.711351] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 10.719237] init: cannot execve('/system/bin/sh'): Permission denied
[ 10.727762] init: Service 'console' (pid 115) exited with status 127
[ 10.734198] init: Service 'console' (pid 115) killing any children in process group
[ 11.711681] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 12.719108] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 13.726545] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 14.733860] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 15.741400] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 15.748768] init: Starting service 'console'...
[ 15.758260] audit: type=1400 audit(15.749:7): avc: denied { execute } for pid=116 comm="init" name="sh" dev="mmcblk0p2" ino=654293 scontext=u:r:init:s0 tc
.
.
Taking your suggestion further I tried setting SeLinux to permissive:
.
.
[ 0.000000] Kernel command line: console=ttymxc1,115200 init=/init androidboot.console=ttymxc1 androidboot.selinux=permissive androidboot.hardware=rti fec_mac=16:25:34:43:52:61
.
.
[ 3.506792] Freeing unused kernel memory: 1024K
[ 3.529112] init: init first stage started!
[ 3.553537] SELinux: Permission validate_trans in class security not defined in policy.
[ 3.562679] SELinux: Class cap_userns not defined in policy.
[ 3.568567] SELinux: Class cap2_userns not defined in policy.
[ 3.574421] SELinux: Class bpf not defined in policy.
[ 3.579777] SELinux: the above unknown classes and permissions will be denied
[ 3.701027] audit: type=1403 audit(3.689:2): policy loaded auid=4294967295 ses=4294967295
[ 3.712812] init: (Initializing SELinux non-enforcing took 0.18s.)
[ 3.733396] init: init second stage started!
[ 3.760392] init: Running restorecon...
[ 3.848540] init: waitpid failed: No child processes
[ 3.855405] init: (Loading properties from /default.prop took 0.00s.)
[ 3.870987] init: (Parsing /init.environ.rc took 0.00s.)
[ 3.878685] init: (Parsing /init.usb.rc took 0.00s.)
[ 3.886130] init: (Parsing init.rti.usb.rc took 0.00s.)
[ 3.891443] init: (Parsing /init.rti.rc took 0.01s.)
[ 3.899093] init: (Parsing /init.usb.configfs.rc took 0.00s.)
[ 3.905626] init: (Parsing /init.zygote32.rc took 0.00s.)
[ 3.929687] ueventd: ueventd started!
[ 4.919447] ueventd: Coldboot took 0.98s.
[ 5.056730] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data mode. Opts: (null)
[ 5.169732] EXT4-fs (mmcblk0p3): recovery complete
[ 5.182124] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.284456] EXT4-fs (mmcblk0p4): recovery complete
[ 5.293213] EXT4-fs (mmcblk0p4): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.572581] audit: type=1400 audit(5.559:3): avc: denied { execute } for pid=110 comm="init" name="vdc" dev="mmcblk0p2" ino=654340 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
[ 5.592848] audit: type=1400 audit(5.579:4): avc: denied { execute_no_trans } for pid=110 comm="init" path="/system/bin/vdc" dev="mmcblk0p2" ino=654340 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
[ 54.755199] random: crng init done
With SeLinux set to permissive, I don't get the repeating binder errors, but I still don't get my console (hitting keys on the terminal does nothing). Note, I have verified my UART connection by booting into U-Boot, and booting into the Linux kernel without launching android.
Your (or anyone else's) help is greatly appreciated. Any other ideas, or things to try?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Eric,
Did you solve your problem in the meantime? I'm experiencing the same problem:
audit: type=1400 audit(63.320:4): avc: denied { write } for pid=1 comm="init" name="mmcblk0p1" dev="tmpfs" ino=8892 scontext=u:r:init:s0 tcontext=u:object_r:boot_block_device:s0 tclass=blk_file permissive=0
audit: type=1400 audit(63.430:5): avc: denied { execute } for pid=204 comm="init" name="vdc" dev="mmcblk0p1" ino=45961 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
audit: type=1400 audit(63.490:6): avc: denied { execute } for pid=206 comm="init" name="sh" dev="mmcblk0p1" ino=45869 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
With kind regards,
Tim
b36401
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try to set androidboot.selinux=disabled option in u-boot.
Have a great day,
Victor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
