Ril 9 SElinux

We’re following the steps described in ReadMe.txt of Android 9 RIL and we followed every step, but in SElinux step it’s not very clear for us. we disabled SElinux from .config, it’s enough? or we should also copy the below files in Andoid SEpolicy? what about the existing files? overwrite?

Hi @wzhang … i saw that you comment in Android stuff … can you advice here please? Thanks

Hi @georges.torval91 ,
Those te files are just for reference. They worked OK on our reference Hikey960 board. For your platform, you could try to use your own policy based on your system.
If you got any issue, you need capture kernel logs, find out “avc: denie” or other avc failed logs and use audit2allow from your build system to adjust such te files.

Thanks,

Hi @georges.torval91,
I am not sure which platform are you using. Please note that Sierra doesn’t support x86 from Android 7.1.6 RIL any more so if you use Android >= version 7 you have to deploy it on 64bits OS.
Thanks

@wzhang,

  • But if i choose to disable SElinux from .config , i don’t need to add these files in my /sepolicy right?
  • in my image i have the following files (RPI3), i need to add other files?:
ll device/rpiorg/rpi3/sepolicy/
-rw-r--r--  1   759 Mar 20 00:11 file_contexts
-rw-r--r--  1   75 Mar 20 00:11 init.te
-rw-r--r--  1   274 Mar 20 00:11 kernel.te
-rw-r--r--  1   84 Mar 20 00:11 netd.te
-rw-r--r--  1   48 Mar 20 00:11 system_server.te
  • Yes, you have right i have some liles with “avc: denied”, i don’t understand why i got thse lines as i disabled the SElinux from kernel … how i can use “audit2allow” to fix this please?

type=1400 audit(1616367437.919:69): avc: denied { open } for pid=1149 comm=“cat” path="/proc/cpu/alignment" dev=“proc” ino=4026532797 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
type=1400 audit(1616367795.119:70): avc: denied { read } for pid=1154 comm=“cat” name=“model” dev=“sysfs” ino=66 scontext=u:r:shell:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
type=1400 audit(1616367795.119:70): avc: denied { read } for pid=1154 comm=“cat” name=“model” dev=“sysfs” ino=66 scontext=u:r:shell:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
type=1400 audit(1616367795.119:71): avc: denied { open } for pid=1154 comm=“cat” path="/sys/firmware/devicetree/base/model" dev=“sysfs” ino=66 scontext=u:r:shell:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

Capture

@Vianney, i use RPI3

Thank you guys

@georges.torval91
1, I think the configuration to disable SELinux may not enough.
2, Seems the avc denied not related to RIL
3, audit2allow was in your Android source code folder ./external/selinux/prebuilts/bin/audit2allow, I think you could google how to use it to generate .te file from your kernel logs and add such .te file to your system.

refer to https://source.android.com/security/selinux/validate#using_audit2allow

Thanks,

1 Like