Android 7.1 SELinux vdc & sh unlabeled boot fail

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Android 7.1 SELinux vdc & sh unlabeled boot fail

4,383 Views
ericnelson1
Contributor I

I am porting Android 7.1 to our IMX53 product. I ran into a problem with SELinux that doesn't seem to make sense. The boot log looks like this:

.

.

.

[ 3.506650] Freeing unused kernel memory: 1024K
[ 3.528875] init: init first stage started!
[ 3.553382] SELinux: Permission validate_trans in class security not defined in policy.
[ 3.562534] SELinux: Class cap_userns not defined in policy.
[ 3.568418] SELinux: Class cap2_userns not defined in policy.
[ 3.574269] SELinux: Class bpf not defined in policy.[ 3.579623] SELinux: the above unknown classes and permissions will be denied
[ 3.701006] audit: type=1403 audit(3.689:2): policy loaded auid=4294967295 ses=4294967295
[ 3.712563] audit: type=1404 audit(3.699:3): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
[ 3.745760] init: (Initializing SELinux enforcing took 0.21s.)
[ 3.766315] init: init second stage started!
[ 3.792985] init: Running restorecon...
[ 3.880962] init: waitpid failed: No child processes
[ 3.887834] init: (Loading properties from /default.prop took 0.00s.)
[ 3.903302] init: (Parsing /init.environ.rc took 0.00s.)
[ 3.910929] init: (Parsing /init.usb.rc took 0.00s.)
[ 3.918296] init: (Parsing init.rti.usb.rc took 0.00s.)
[ 3.923605] init: (Parsing /init.rti.rc took 0.01s.)
[ 3.931310] init: (Parsing /init.usb.configfs.rc took 0.00s.)
[ 3.937856] init: (Parsing /init.zygote32.rc took 0.00s.)
[ 3.962443] ueventd: ueventd started!
[ 4.942899] ueventd: Coldboot took 0.97s.
[ 5.078709] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data mode. Opts: (null)
[ 5.139472] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.182104] EXT4-fs (mmcblk0p4): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.493959] audit: type=1400 audit(5.479:4): avc: denied { execute } for pid=110 comm="init" name="vdc" dev="mmcblk0p2" ino=654340 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
[ 5.593161] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 5.607788] audit: type=1400 audit(5.599:5): avc: denied { execute } for pid=112 comm="init" name="sh" dev="mmcblk0p2" ino=654293 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
[ 6.663334] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 7.670798] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 8.678255] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 9.685626] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004

.

.

.

As you can see "vdc", and "sh" seem to be missing a label for SELinux. However, I clearly see the label being set in android source under /system/sepolicy/file_contexts:

/system/bin/sh   --   u:object_r:shell_exec:s0

/system/bin/vdc     u:object_r:vdc_exec:s0

Further, if I try to provide my own label for these same files in /device/rti/kx10/sepolicy/file_contexts, I get a compile errors:

out/target/product/kx10/obj/ETC/file_contexts.bin_intermediates/file_contexts.concat.tmp: Multiple same specifications for /system/bin/sh.

out/target/product/kx10/obj/ETC/file_contexts.bin_intermediates/file_contexts.concat.tmp: Multiple same specifications for /system/bin/vdc.

So if sh & vdc have a label defined, why does the SELinux audit indicates these files are "unlabeled"???

Because of this error I cannot get a shell started to allow me to use other debug tools (ex. logcat). Does anyone have any ideas, thoughts, or suggestions that might help me proceed??

Thanks in advance,

Eric Nelson

Labels (1)
0 Kudos
5 Replies

2,455 Views
ericnelson1
Contributor I

Hi Tim,

Unfortunately I did not. I have since abandon the en devour & gone to a different processor & different BSP. Although I still wish I knew the answer if for no other reason than to learn from it.

0 Kudos

2,455 Views
timgruijters
Contributor II

Hey Eric,

Thank you for your response. My problem results from the SELinux context being dropped by copying a file from the system image when the context from that file isn't understood by the operating system and archiving it into a tarball. Although tar has the 'p' option for preserving permissions for files, it doesn't keep the SELinux context.

With kind regards,

Tim

0 Kudos

2,454 Views
ericnelson1
Contributor I

Thanks for the suggestion Victor. I changed the linux command line in uboot to androidboot.selinux=disabled. The debug UART during boot now shows selinux set to disabled:

.

.

[ 0.000000] Kernel command line: console=ttymxc1,115200 init=/init androidboot.console=ttymxc1 androidboot.selinux=disabled androidboot.hardware=rti fec_mac=16:25:34:43:52:61

.

.

Later in the boot log when android starts, I see similar (but not identical) behavior. Strangely I still see SeLinux message with "denied", and "permissive=0":

.

.

[ 3.496813] Freeing unused kernel memory: 1024K
[ 3.519002] init: init first stage started!
[ 3.543559] SELinux: Permission validate_trans in class security not defined in policy.
[ 3.552690] SELinux: Class cap_userns not defined in policy.
[ 3.558577] SELinux: Class cap2_userns not defined in policy.
[ 3.564467] SELinux: Class bpf not defined in policy.
[ 3.569671] SELinux: the above unknown classes and permissions will be denied
[ 3.690836] audit: type=1403 audit(3.679:2): policy loaded auid=4294967295 ses=4294967295
[ 3.702339] audit: type=1404 audit(3.689:3): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
[ 3.735700] init: (Initializing SELinux enforcing took 0.21s.)
[ 3.756117] init: init second stage started!
[ 3.782669] init: Running restorecon...
[ 3.871135] init: waitpid failed: No child processes
[ 3.878082] init: (Loading properties from /default.prop took 0.00s.)
[ 3.893401] init: (Parsing /init.environ.rc took 0.00s.)
[ 3.901061] init: (Parsing /init.usb.rc took 0.00s.)
[ 3.908407] init: (Parsing init.rti.usb.rc took 0.00s.)
[ 3.913779] init: (Parsing /init.rti.rc took 0.01s.)
[ 3.921436] init: (Parsing /init.usb.configfs.rc took 0.00s.)
[ 3.928031] init: (Parsing /init.zygote32.rc took 0.00s.)
[ 3.952284] ueventd: ueventd started!
[ 4.933427] ueventd: Coldboot took 0.97s.
[ 5.069612] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data mode. Opts: (null)
[ 5.122878] EXT4-fs (mmcblk0p3): recovery complete
[ 5.132952] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.190442] EXT4-fs (mmcblk0p4): recovery complete
[ 5.198959] EXT4-fs (mmcblk0p4): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.479781] audit: type=1400 audit(5.469:4): avc: denied { execute } for pid=110 comm="init" name="vdc" dev="mmcblk0p2" ino=654340 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
[ 5.598026] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 5.617970] audit: type=1400 audit(5.609:5): avc: denied { execute } for pid=112 comm="init" name="sh" dev="mmcblk0p2" ino=654293 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
[ 6.672095] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 7.679587] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 8.687039] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 9.694341] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 10.682690] init: Starting service 'console'...
[ 10.692087] audit: type=1400 audit(10.679:6): avc: denied { execute } for pid=115 comm="init" name="sh" dev="mmcblk0p2" ino=654293 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
[ 10.711351] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 10.719237] init: cannot execve('/system/bin/sh'): Permission denied
[ 10.727762] init: Service 'console' (pid 115) exited with status 127
[ 10.734198] init: Service 'console' (pid 115) killing any children in process group
[ 11.711681] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 12.719108] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 13.726545] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 14.733860] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 15.741400] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 15.748768] init: Starting service 'console'...
[ 15.758260] audit: type=1400 audit(15.749:7): avc: denied { execute } for pid=116 comm="init" name="sh" dev="mmcblk0p2" ino=654293 scontext=u:r:init:s0 tc

.

.

Taking your suggestion further I tried setting SeLinux to permissive:

.

.

[ 0.000000] Kernel command line: console=ttymxc1,115200 init=/init androidboot.console=ttymxc1 androidboot.selinux=permissive androidboot.hardware=rti fec_mac=16:25:34:43:52:61

.

.

[ 3.506792] Freeing unused kernel memory: 1024K
[ 3.529112] init: init first stage started!
[ 3.553537] SELinux: Permission validate_trans in class security not defined in policy.
[ 3.562679] SELinux: Class cap_userns not defined in policy.
[ 3.568567] SELinux: Class cap2_userns not defined in policy.
[ 3.574421] SELinux: Class bpf not defined in policy.
[ 3.579777] SELinux: the above unknown classes and permissions will be denied
[ 3.701027] audit: type=1403 audit(3.689:2): policy loaded auid=4294967295 ses=4294967295
[ 3.712812] init: (Initializing SELinux non-enforcing took 0.18s.)
[ 3.733396] init: init second stage started!
[ 3.760392] init: Running restorecon...
[ 3.848540] init: waitpid failed: No child processes
[ 3.855405] init: (Loading properties from /default.prop took 0.00s.)
[ 3.870987] init: (Parsing /init.environ.rc took 0.00s.)
[ 3.878685] init: (Parsing /init.usb.rc took 0.00s.)
[ 3.886130] init: (Parsing init.rti.usb.rc took 0.00s.)
[ 3.891443] init: (Parsing /init.rti.rc took 0.01s.)
[ 3.899093] init: (Parsing /init.usb.configfs.rc took 0.00s.)
[ 3.905626] init: (Parsing /init.zygote32.rc took 0.00s.)
[ 3.929687] ueventd: ueventd started!
[ 4.919447] ueventd: Coldboot took 0.98s.
[ 5.056730] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data mode. Opts: (null)
[ 5.169732] EXT4-fs (mmcblk0p3): recovery complete
[ 5.182124] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.284456] EXT4-fs (mmcblk0p4): recovery complete
[ 5.293213] EXT4-fs (mmcblk0p4): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.572581] audit: type=1400 audit(5.559:3): avc: denied { execute } for pid=110 comm="init" name="vdc" dev="mmcblk0p2" ino=654340 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
[ 5.592848] audit: type=1400 audit(5.579:4): avc: denied { execute_no_trans } for pid=110 comm="init" path="/system/bin/vdc" dev="mmcblk0p2" ino=654340 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
[ 54.755199] random: crng init done

With SeLinux set to permissive, I don't get the repeating binder errors, but I still don't get my console (hitting keys on the terminal does nothing). Note, I have verified my UART connection by booting into U-Boot, and booting into the Linux kernel without launching android.

Your (or anyone else's) help is greatly appreciated. Any other ideas, or things to try?

0 Kudos

2,454 Views
timgruijters
Contributor II

Hey Eric,

Did you solve your problem in the meantime? I'm experiencing the same problem:
audit: type=1400 audit(63.320:4): avc: denied { write } for pid=1 comm="init" name="mmcblk0p1" dev="tmpfs" ino=8892 scontext=u:r:init:s0 tcontext=u:object_r:boot_block_device:s0 tclass=blk_file permissive=0
audit: type=1400 audit(63.430:5): avc: denied { execute } for pid=204 comm="init" name="vdc" dev="mmcblk0p1" ino=45961 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
audit: type=1400 audit(63.490:6): avc: denied { execute } for pid=206 comm="init" name="sh" dev="mmcblk0p1" ino=45869 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0

With kind regards,
Tim

0 Kudos

2,454 Views
b36401
NXP Employee
NXP Employee

Please try to set androidboot.selinux=disabled option in u-boot.

Have a great day,
Victor

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos