[iMX8QM-MEK] How to change SELinux policy.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[iMX8QM-MEK] How to change SELinux policy.

1,866 Views
sushi_happy
Contributor III

Hi.

I want to change the SELinux policy.

There are some messages in the boot log that look like this:

[ 38.282833] type=1400 audit(1663833591.156:10): avc: denied { read } for comm="Binder:326_2" name="wakeup8" dev="sysfs" ino=50702 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
[ 38.303821] type=1400 audit(1663833591.156:11): avc: denied { open } for comm="Binder:326_2" path="/sys/devices/platform/bus@5a000000/5a800000.i2c/i2c-2/2-0051/power_supply/tcpm-source-psy-2-0051/wakeup8" dev="sysfs" ino=50702 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
[ 38.332556] type=1400 audit(1663833591.156:12): avc: denied { read } for comm="Binder:326_2" name="event_count" dev="sysfs" ino=50709 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
[ 38.353542] type=1400 audit(1663833591.156:13): avc: denied { open } for comm="Binder:326_2" path="/sys/devices/platform/bus@5a000000/5a800000.i2c/i2c-2/2-0051/power_supply/tcpm-source-psy-2-0051/wakeup8/event_count" dev="sysfs" ino=50709 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
[ 38.384463] type=1400 audit(1663833591.156:14): avc: denied { getattr } for comm="Binder:326_2" path="/sys/devices/platform/bus@5a000000/5a800000.i2c/i2c-2/2-0051/power_supply/tcpm-source-psy-2-0051/wakeup8/event_count" dev="sysfs" ino=50709 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1


It seems that system_suspend violates SELinux policy.
So I think you need to change system_suspend.te in /system/sepolicy/private.
However, I get build errors whenever I edit files in /system/sepolicy.

How can I edit the /system/sepolicy directory and still build successfully?

0 Kudos
5 Replies

1,833 Views
AldoG
NXP TechSupport
NXP TechSupport

Hello,

Could you share which Android version you are using?

Best regards,
Aldo.

0 Kudos

1,826 Views
sushi_happy
Contributor III

@AldoG 

thank you to reply.

I'm using android_automotive ver.11.0.0_2.3.0.

0 Kudos

1,700 Views
AldoG
NXP TechSupport
NXP TechSupport

Hello,
 
Sorry for not updating sooner, could you share what errors you get when trying to build?
Also, if possible please share the changes you have made to system_suspend.te?

Best regards,
Aldo.

0 Kudos

1,634 Views
sushi_happy
Contributor III

Hello, @AldoG 

I don't know if it's correct, but I added the code below.

system_suspend.te(system/sepolicy/private)
allow system_suspend sysfs_batteryinfo:file rw_file_perms;

 

Then, I got the following error.
[ 3% 4/128] build out/target/product/mek_8q/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
FAILED: out/target/product/mek_8q/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
/bin/bash -c "(diff -rq -x bug_map system/sepolicy/prebuilts/api/30.0/public system/sepolicy/public ) && (diff -rq -x bug_map system/sepolicy/prebuilts/api/30.0/private system/sepolicy/private ) && (touch out/target/product/mek_8q/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )"
Files system/sepolicy/prebuilts/api/30.0/private/system_suspend.te and system/sepolicy/private/system_suspend.te are different

 

So I made the same changes to system_suspend.te in system/sepolicy/prebuilts/api/30.0/private.

The above error disappeared, but a new error appeared.
[ 17% 23/134] build out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/policy.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp neverallow -w -f out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/policy_2.conf || ( echo \"\" 1>&2; echo \"sepolicy-analyze failed. This is most likely due to the use\" 1>&2; echo \"of an expanded attribute in a neverallow assertion. Please fix\" 1>&2; echo \"the policy.\" 1>&2; exit 1 ) ) && (touch out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp ) && (mv out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows )"
libsepol.report_failure: neverallow on line 1395 of system/sepolicy/public/domain.te (or line 13406 of policy.conf) violated by allow system_suspend sysfs_batteryinfo:file { read open };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy

0 Kudos

1,589 Views
AldoG
NXP TechSupport
NXP TechSupport

Hello,

By the log you have shared it seems that changes were not fully correct, I would recommend to follow android documentation on how to handle this:

https://source.android.com/docs/security/features/selinux/device-policy#address_denials_of_core_serv...

Best regards,
Aldo.

0 Kudos