AnsweredAssumed Answered

Android 7.1 SELinux vdc & sh unlabeled boot fail

Question asked by Eric Nelson on Feb 8, 2018
Latest reply on Feb 12, 2018 by Eric Nelson

I am porting Android 7.1 to our IMX53 product. I ran into a problem with SELinux that doesn't seem to make sense. The boot log looks like this:

.

.

.

[ 3.506650] Freeing unused kernel memory: 1024K
[ 3.528875] init: init first stage started!
[ 3.553382] SELinux: Permission validate_trans in class security not defined in policy.
[ 3.562534] SELinux: Class cap_userns not defined in policy.
[ 3.568418] SELinux: Class cap2_userns not defined in policy.
[ 3.574269] SELinux: Class bpf not defined in policy.[ 3.579623] SELinux: the above unknown classes and permissions will be denied
[ 3.701006] audit: type=1403 audit(3.689:2): policy loaded auid=4294967295 ses=4294967295
[ 3.712563] audit: type=1404 audit(3.699:3): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
[ 3.745760] init: (Initializing SELinux enforcing took 0.21s.)
[ 3.766315] init: init second stage started!
[ 3.792985] init: Running restorecon...
[ 3.880962] init: waitpid failed: No child processes
[ 3.887834] init: (Loading properties from /default.prop took 0.00s.)
[ 3.903302] init: (Parsing /init.environ.rc took 0.00s.)
[ 3.910929] init: (Parsing /init.usb.rc took 0.00s.)
[ 3.918296] init: (Parsing init.rti.usb.rc took 0.00s.)
[ 3.923605] init: (Parsing /init.rti.rc took 0.01s.)
[ 3.931310] init: (Parsing /init.usb.configfs.rc took 0.00s.)
[ 3.937856] init: (Parsing /init.zygote32.rc took 0.00s.)
[ 3.962443] ueventd: ueventd started!
[ 4.942899] ueventd: Coldboot took 0.97s.
[ 5.078709] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data mode. Opts: (null)
[ 5.139472] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.182104] EXT4-fs (mmcblk0p4): mounted filesystem with ordered data mode. Opts: errors=panic
[ 5.493959] audit: type=1400 audit(5.479:4): avc: denied { execute } for pid=110 comm="init" name="vdc" dev="mmcblk0p2" ino=654340 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
[ 5.593161] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 5.607788] audit: type=1400 audit(5.599:5): avc: denied { execute } for pid=112 comm="init" name="sh" dev="mmcblk0p2" ino=654293 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=0
[ 6.663334] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 7.670798] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 8.678255] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004
[ 9.685626] binder: 111:111 transaction failed 29189/-22, size 0-0 line 3004

.

.

.

As you can see "vdc", and "sh" seem to be missing a label for SELinux. However, I clearly see the label being set in android source under /system/sepolicy/file_contexts:

/system/bin/sh   --   u:object_r:shell_exec:s0

/system/bin/vdc     u:object_r:vdc_exec:s0

 

Further, if I try to provide my own label for these same files in /device/rti/kx10/sepolicy/file_contexts, I get a compile errors:

out/target/product/kx10/obj/ETC/file_contexts.bin_intermediates/file_contexts.concat.tmp: Multiple same specifications for /system/bin/sh.

out/target/product/kx10/obj/ETC/file_contexts.bin_intermediates/file_contexts.concat.tmp: Multiple same specifications for /system/bin/vdc.

 

So if sh & vdc have a label defined, why does the SELinux audit indicates these files are "unlabeled"???

 

Because of this error I cannot get a shell started to allow me to use other debug tools (ex. logcat). Does anyone have any ideas, thoughts, or suggestions that might help me proceed??

 

Thanks in advance,

Eric Nelson

Outcomes