FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

[iMX8QM-MEK] How to change SELinux policy.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[iMX8QM-MEK] How to change SELinux policy.

‎09-22-2022 01:41 AM
1,700 Views
sushi_happy
Contributor III

Hi.

I want to change the SELinux policy.

There are some messages in the boot log that look like this:

[ 38.282833] type=1400 audit(1663833591.156:10): avc: denied { read } for comm="Binder:326_2" name="wakeup8" dev="sysfs" ino=50702 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
[ 38.303821] type=1400 audit(1663833591.156:11): avc: denied { open } for comm="Binder:326_2" path="/sys/devices/platform/bus@5a000000/5a800000.i2c/i2c-2/2-0051/power_supply/tcpm-source-psy-2-0051/wakeup8" dev="sysfs" ino=50702 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
[ 38.332556] type=1400 audit(1663833591.156:12): avc: denied { read } for comm="Binder:326_2" name="event_count" dev="sysfs" ino=50709 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
[ 38.353542] type=1400 audit(1663833591.156:13): avc: denied { open } for comm="Binder:326_2" path="/sys/devices/platform/bus@5a000000/5a800000.i2c/i2c-2/2-0051/power_supply/tcpm-source-psy-2-0051/wakeup8/event_count" dev="sysfs" ino=50709 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
[ 38.384463] type=1400 audit(1663833591.156:14): avc: denied { getattr } for comm="Binder:326_2" path="/sys/devices/platform/bus@5a000000/5a800000.i2c/i2c-2/2-0051/power_supply/tcpm-source-psy-2-0051/wakeup8/event_count" dev="sysfs" ino=50709 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1


It seems that system_suspend violates SELinux policy.
So I think you need to change system_suspend.te in /system/sepolicy/private.
However, I get build errors whenever I edit files in /system/sepolicy.

How can I edit the /system/sepolicy directory and still build successfully?

0 Kudos
Reply
5 Replies

‎09-27-2022 05:56 PM
1,667 Views
AldoG
NXP TechSupport
NXP TechSupport

Hello,

Could you share which Android version you are using?

Best regards,
Aldo.

0 Kudos
Reply

‎09-27-2022 06:48 PM
1,660 Views
sushi_happy
Contributor III

@AldoG 

thank you to reply.

I'm using android_automotive ver.11.0.0_2.3.0.

0 Kudos
Reply

‎10-20-2022 05:57 PM
1,534 Views
AldoG
NXP TechSupport
NXP TechSupport

Hello,
 
Sorry for not updating sooner, could you share what errors you get when trying to build?
Also, if possible please share the changes you have made to system_suspend.te?

Best regards,
Aldo.

0 Kudos
Reply

‎11-11-2022 01:07 AM
1,468 Views
sushi_happy
Contributor III

Hello, @AldoG 

I don't know if it's correct, but I added the code below.

system_suspend.te(system/sepolicy/private)
allow system_suspend sysfs_batteryinfo:file rw_file_perms;

 

Then, I got the following error.
[ 3% 4/128] build out/target/product/mek_8q/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
FAILED: out/target/product/mek_8q/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
/bin/bash -c "(diff -rq -x bug_map system/sepolicy/prebuilts/api/30.0/public system/sepolicy/public ) && (diff -rq -x bug_map system/sepolicy/prebuilts/api/30.0/private system/sepolicy/private ) && (touch out/target/product/mek_8q/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )"
Files system/sepolicy/prebuilts/api/30.0/private/system_suspend.te and system/sepolicy/private/system_suspend.te are different

 

So I made the same changes to system_suspend.te in system/sepolicy/prebuilts/api/30.0/private.

The above error disappeared, but a new error appeared.
[ 17% 23/134] build out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/policy.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp neverallow -w -f out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/policy_2.conf || ( echo \"\" 1>&2; echo \"sepolicy-analyze failed. This is most likely due to the use\" 1>&2; echo \"of an expanded attribute in a neverallow assertion. Please fix\" 1>&2; echo \"the policy.\" 1>&2; exit 1 ) ) && (touch out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp ) && (mv out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows )"
libsepol.report_failure: neverallow on line 1395 of system/sepolicy/public/domain.te (or line 13406 of policy.conf) violated by allow system_suspend sysfs_batteryinfo:file { read open };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy

0 Kudos
Reply

‎12-09-2022 02:03 PM
1,423 Views
AldoG
NXP TechSupport
NXP TechSupport

Hello,

By the log you have shared it seems that changes were not fully correct, I would recommend to follow android documentation on how to handle this:

https://source.android.com/docs/security/features/selinux/device-policy#address_denials_of_core_serv...

Best regards,
Aldo.

0 Kudos
Reply