[iMX8QM-MEK] How to change SELinux policy.

sushi_happy · ‎09-22-2022

Hi.

I want to change the SELinux policy.

There are some messages in the boot log that look like this:

[ 38.282833] type=1400 audit(1663833591.156:10): avc: denied { read } for comm="Binder:326_2" name="wakeup8" dev="sysfs" ino=50702 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
[ 38.303821] type=1400 audit(1663833591.156:11): avc: denied { open } for comm="Binder:326_2" path="/sys/devices/platform/bus@5a000000/5a800000.i2c/i2c-2/2-0051/power_supply/tcpm-source-psy-2-0051/wakeup8" dev="sysfs" ino=50702 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
[ 38.332556] type=1400 audit(1663833591.156:12): avc: denied { read } for comm="Binder:326_2" name="event_count" dev="sysfs" ino=50709 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
[ 38.353542] type=1400 audit(1663833591.156:13): avc: denied { open } for comm="Binder:326_2" path="/sys/devices/platform/bus@5a000000/5a800000.i2c/i2c-2/2-0051/power_supply/tcpm-source-psy-2-0051/wakeup8/event_count" dev="sysfs" ino=50709 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
[ 38.384463] type=1400 audit(1663833591.156:14): avc: denied { getattr } for comm="Binder:326_2" path="/sys/devices/platform/bus@5a000000/5a800000.i2c/i2c-2/2-0051/power_supply/tcpm-source-psy-2-0051/wakeup8/event_count" dev="sysfs" ino=50709 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1

It seems that system_suspend violates SELinux policy.
So I think you need to change system_suspend.te in /system/sepolicy/private.
However, I get build errors whenever I edit files in /system/sepolicy.

How can I edit the /system/sepolicy directory and still build successfully?

AldoG · ‎09-27-2022

Hello,

Could you share which Android version you are using?

Best regards,
Aldo.

sushi_happy · ‎09-27-2022

@AldoG

thank you to reply.

I'm using android_automotive ver.11.0.0_2.3.0.

AldoG · ‎10-20-2022

Hello,

Sorry for not updating sooner, could you share what errors you get when trying to build?
Also, if possible please share the changes you have made to system_suspend.te?

Best regards,
Aldo.

sushi_happy · ‎11-11-2022

Hello, @AldoG

I don't know if it's correct, but I added the code below.

system_suspend.te(system/sepolicy/private)
allow system_suspend sysfs_batteryinfo:file rw_file_perms;

Then, I got the following error.
[ 3% 4/128] build out/target/product/mek_8q/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
FAILED: out/target/product/mek_8q/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
/bin/bash -c "(diff -rq -x bug_map system/sepolicy/prebuilts/api/30.0/public system/sepolicy/public ) && (diff -rq -x bug_map system/sepolicy/prebuilts/api/30.0/private system/sepolicy/private ) && (touch out/target/product/mek_8q/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )"
Files system/sepolicy/prebuilts/api/30.0/private/system_suspend.te and system/sepolicy/private/system_suspend.te are different

So I made the same changes to system_suspend.te in system/sepolicy/prebuilts/api/30.0/private.

The above error disappeared, but a new error appeared.
[ 17% 23/134] build out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/policy.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp neverallow -w -f out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/policy_2.conf || ( echo \"\" 1>&2; echo \"sepolicy-analyze failed. This is most likely due to the use\" 1>&2; echo \"of an expanded attribute in a neverallow assertion. Please fix\" 1>&2; echo \"the policy.\" 1>&2; exit 1 ) ) && (touch out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp ) && (mv out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp out/target/product/mek_8q/obj/FAKE/sepolicy_neverallows_intermediates/sepolicy_neverallows )"
libsepol.report_failure: neverallow on line 1395 of system/sepolicy/public/domain.te (or line 13406 of policy.conf) violated by allow system_suspend sysfs_batteryinfo:file { read open };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy

AldoG · ‎12-09-2022

Hello,

By the log you have shared it seems that changes were not fully correct, I would recommend to follow android documentation on how to handle this:

https://source.android.com/docs/security/features/selinux/device-policy#address_denials_of_core_serv...

Best regards,
Aldo.

[iMX8QM-MEK] How to change SELinux policy.

[iMX8QM-MEK] How to change SELinux policy.

Android

i.MX 8 Family | i.MX 8QuadMax (8QM) | 8QuadPlus

Linux