How to write sepolicy to fix a denial

sepolicy.md

Migrated with additional information to my blog: https://msfjarvis.dev/posts/understanding-and-resolving-selinux-denials-on-android/

--------------

Denial in question

avc: denied { read write } for pid=29059 comm="i.tetherservice" name="ipa" dev="tmpfs" ino=11991 scontext=u:r:system_app:s0 tcontext=u:object_r:ipa_dev:s0 tclass=chr_file permissive=0

sepolicy fix

allow system_app ipa_dev:chr_file {read write};

How did I write it? Easy.

First, you need to identify the process/device which attempted the action which raised the denial.

The value in scontext is the offender. In our case, it is system_app.

Next, find the domains where access was attempted. This is found by taking the value of tcontext, splitting it on the : delimiter and taking index 2, or the second value from right. Club it with the value of tclass and you get the domain, which is ipa_dev:chr_file in our example.

Finally, find the action being performed. This is fairly simple.

avc: denied { read write } for

{read write} is the action here.

Put this all together and you get the final sepolicy rule.

Labelling in SELinux

To define new types for adding sepolicy exclusions, we use labelling.

For this example, let's assume we want to label the KCal sysfs nodes under the sysfs_kcal type.

KCal sysfs nodes are inside the /sys/devices/platform/kcal_ctrl.0/ directory. To put them all under a single label, we use a simple regex. The type name should be added to file_contexts in your device tree's sepolicy folder. If it doesn't exist, create it.

/sys/devices/platform/kcal_ctrl.0(/.*)? u:object_r:sysfs_kcal:s0

This line in file_contexts will put all files inside the /sys/devices/platform/kcal_ctrl.0/ folder under the sysfs_kcal label.

Next we open up the relative .te file for the domain we want to grant access to the KCal sysfs. Let's assume it's system_app, for this example.

Open up system_app.te from your sepolicy dir (create if missing, usual drill).

First, we need to define what types does the sysfs_kcal label can be. For granting read/write access, it will have to be fs_type and sysfs_type, as should be obvious.

type sysfs_kcal, fs_type, sysfs_type;

There, we can now add exclusions for sysfs_kcal treating it as a sysfs node as well as a filesystem item, like a folder or a file.

To be able to read or write to the sysfs node, we need to be able to find it first. Then we need to grant system_app the ability to read and write from and to it.

allow system_app sysfs_kcal:dir search; allow system_app sysfs_kcal:file rw_file_perms;

Here we utilise the fs_type declaration to treat the labelled sysfs nodes as a directory as well as a file and grant the necessary permissions.

And that's it! Now all system apps can read from and write to all nodes in the /sys/devices/platform/kcal_ctrl.0/ directory.

how to fix denial like 01-04 04:04:34.746 327 327 I init : type=1400 audit(0.0:3): avc: denied { execute_no_trans } for path="/system/vendor/bin/hw/[email protected]" dev="mmcblk0p23" ino=2630 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1

denied { read } for name="u:object_r:qemu_hw_mainkeys_prop:s0" dev="tmpfs" ino=8318 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:qemu_hw_mainkeys_prop:s0 tclass=file permissive=1

Thanks for this, dude!

How to get denial log?

Sir, i have the following denials on oreo 8.1. how to write sepolicy to fix this.?

343 343 W [email protected]: type=1400 audit(0.0:8): avc: denied { read write } for name="brightness" dev="sysfs" ino=14905 scontext=u:r:hal_light_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

4005 W .omnirom.device: type=1400 audit(0.0:9): avc: denied { write } for name="gesture_ctrl" dev="sysfs" ino=3135 scontext=u:r:system_app:s0 tcontext=u:object_r:touchpanel_sysfs:s0 tclass=file permissive=0

4597 W com.android.settings: type=1400 audit(0.0:14): avc: denied { call } for comm=4173796E635461736B202335 scontext=u:r:system_app:s0 tcontext=u:r:wificond:s0 tclass=binder permissive=0

272 E SELinux : avc: denied { find } for service=installd pid=4383 uid=1000 scontext=u:r:system_app:s0 tcontext=u:object_r:installd_service:s0 tclass=service_manager permissive=0

Thank you very much for this guide

thanks,i thought sepolicy hard thing but this is pretty simple now for me

log:
06-08 16:15:01.598 W/Binder:3172_4(3172): type=1400 audit(0.0:35360): avc: denied { write } for name="property_service" dev="tmpfs" ino=14201 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0

Policy fix:
allow priv_app property_socket:sock_file {write};

But I'm user not builder how do I implement this in selinux policy....

Hello Sir I am developing an app and I am getting a similar warning. Could you please explain more where to write the policy. Is it in the android studio in my app's folder or is it somewhere in the device (It may sound stupid) Sorry for that. Thanks

Thanks Man..Cheers..

I have android logcat spammed with these denials:

10-15 22:02:29.039 12944 12944 W kworker/0:4: type=1400 audit(0.0:87190): avc: denied { read write } for name="sde73" dev="tmpfs" ino=28978 scontext=u:r:kernel:s0 tcontext=u:object_r:oem_device:s0 tclass=blk_file permissive=0

I understand that I should write a rule:
allow kernel oem_device:blk_file {read write};

adb pull /sys/fs/selinux/policy
adb logcat -b all -d | audit2allow -p policy #this confirms the rule

My question is, where exactly should i add this? Which are next steps? Thank you!

Woahh, great tutorial! Thank you very much! ^_^

This is how i handled the problems. Hope it is helpful:

To identify issues:
adb shell su - logcat *:W | grep --line-buffered 'avc'

In termux or via adb, i created a start-up script:

su -
cd /data/adb/post-fs-data.d #or /data/adb/service.d
touch fix_selinux.sh
chmod +x fix_selinux.sh
vi selinux.sh

This is the script that fixes some selinux issues (this is for reference only):

#####  START OF SCRIPT ######


#KERNEL
/sbin/magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'
/sbin/magiskpolicy --live 'allow kernel kernel capability {kill}'

#SHELL
/sbin/magiskpolicy --live 'allow shell rootfs file {getattr}'

#SYSTEM
/sbin/magiskpolicy --live 'allow system_app system_data_file dir {read write create setattr}'
/sbin/magiskpolicy --live 'allow system_app system_data_file file {create}'

#MAGISK
/sbin/magiskpolicy --live 'allow magisk_client vendor_file dir {read}'

#HAL
/sbin/magiskpolicy --live 'allow hal_memtrack_default sysfs_kgsl dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server file {read open getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default proc file {getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default sensors_dbg_prop file {read open getattr map}'

echo "selinux ok" > /data/adb/post-fs-data.d/status_selinux.log

#####  END OF SCRIPT ######

Details of how magiskpolicy works: https://topjohnwu.github.io/Magisk/guides.html#boot-scripts

i have the loopback device created and mounted the partition under the /data/, and this location needs to accessed by the privileged app annd the framework, can you suggest how to write the selinux policy for this

This is how i handled the problems. Hope it is helpful:

To identify issues: adb shell su - logcat *:W | grep --line-buffered 'avc'

In termux or via adb, i created a start-up script:

su -
cd /data/adb/post-fs-data.d #or /data/adb/service.d
touch fix_selinux.sh
chmod +x fix_selinux.sh
vi selinux.sh

This is the script that fixes some selinux issues (this is for reference only):

#####  START OF SCRIPT ######


#KERNEL
/sbin/magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'
/sbin/magiskpolicy --live 'allow kernel kernel capability {kill}'

#SHELL
/sbin/magiskpolicy --live 'allow shell rootfs file {getattr}'

#SYSTEM
/sbin/magiskpolicy --live 'allow system_app system_data_file dir {read write create setattr}'
/sbin/magiskpolicy --live 'allow system_app system_data_file file {create}'

#MAGISK
/sbin/magiskpolicy --live 'allow magisk_client vendor_file dir {read}'

#HAL
/sbin/magiskpolicy --live 'allow hal_memtrack_default sysfs_kgsl dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server dir {search}'
/sbin/magiskpolicy --live 'allow hal_perf_default system_server file {read open getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default proc file {getattr}'
/sbin/magiskpolicy --live 'allow hal_sensors_default sensors_dbg_prop file {read open getattr map}'

echo "selinux ok" > /data/adb/post-fs-data.d/status_selinux.log

#####  END OF SCRIPT ######

Details of how magiskpolicy works: https://topjohnwu.github.io/Magisk/guides.html#boot-scripts

To identify issues: adb shell su -C logcat *:W | grep --line-buffered 'avc'

damn this is always useful to brush up sepolicy

yeah works great fixed my problems on one of my apps failing to load files from my sd card

how to get granted logs any idea?

how to get granted logs any idea?

set to permissive you will see logs or check logcat or dmesg