Hi.
I want to change the SELinux policy.
There are some messages in the boot log that look like this:
[ 38.282833] type=1400 audit(1663833591.156:10): avc: denied { read } for comm="Binder:326_2" name="wakeup8" dev="sysfs" ino=50702 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
[ 38.303821] type=1400 audit(1663833591.156:11): avc: denied { open } for comm="Binder:326_2" path="/sys/devices/platform/bus@5a000000/5a800000.i2c/i2c-2/2-0051/power_supply/tcpm-source-psy-2-0051/wakeup8" dev="sysfs" ino=50702 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
[ 38.332556] type=1400 audit(1663833591.156:12): avc: denied { read } for comm="Binder:326_2" name="event_count" dev="sysfs" ino=50709 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
[ 38.353542] type=1400 audit(1663833591.156:13): avc: denied { open } for comm="Binder:326_2" path="/sys/devices/platform/bus@5a000000/5a800000.i2c/i2c-2/2-0051/power_supply/tcpm-source-psy-2-0051/wakeup8/event_count" dev="sysfs" ino=50709 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
[ 38.384463] type=1400 audit(1663833591.156:14): avc: denied { getattr } for comm="Binder:326_2" path="/sys/devices/platform/bus@5a000000/5a800000.i2c/i2c-2/2-0051/power_supply/tcpm-source-psy-2-0051/wakeup8/event_count" dev="sysfs" ino=50709 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
It seems that system_suspend violates SELinux policy.
So I think you need to change system_suspend.te in /system/sepolicy/private.
However, I get build errors whenever I edit files in /system/sepolicy.
How can I edit the /system/sepolicy directory and still build successfully?
Hello,
Could you share which Android version you are using?
Best regards,
Aldo.
Hello,
Sorry for not updating sooner, could you share what errors you get when trying to build?
Also, if possible please share the changes you have made to system_suspend.te?
Best regards,
Aldo.
Hello, @AldoG
I don't know if it's correct, but I added the code below.
system_suspend.te(system/sepolicy/private)
allow system_suspend sysfs_batteryinfo:file rw_file_perms;
Then, I got the following error.
[ 3% 4/128] build out/target/product/mek_8q/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
FAILED: out/target/product/mek_8q/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
/bin/bash -c "(diff -rq -x bug_map system/sepolicy/prebuilts/api/30.0/public system/sepolicy/public ) && (diff -rq -x bug_map system/sepolicy/prebuilts/api/30.0/private system/sepolicy/private ) && (touch out/target/product/mek_8q/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )"
Files system/sepolicy/prebuilts/api/30.0/private/system_suspend.te and system/sepolicy/private/system_suspend.te are different
So I made the same changes to system_suspend.te in system/sepolicy/prebuilts/api/30.0/private.
The above error disappeared, but a new error appeared.
[ 17% 23/134] build out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/policy.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp neverallow -w -f out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/policy_2.conf || ( echo \"\" 1>&2; echo \"sepolicy-analyze failed. This is most likely due to the use\" 1>&2; echo \"of an expanded attribute in a neverallow assertion. Please fix\" 1>&2; echo \"the policy.\" 1>&2; exit 1 ) ) && (touch out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp ) && (mv out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows )"
libsepol.report_failure: neverallow on line 1395 of system/sepolicy/public/domain.te (or line 13406 of policy.conf) violated by allow system_suspend sysfs_batteryinfo:file { read open };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
Hello,
By the log you have shared it seems that changes were not fully correct, I would recommend to follow android documentation on how to handle this:
https://source.android.com/docs/security/features/selinux/device-policy#address_denials_of_core_serv...
Best regards,
Aldo.