generic_device
generic_device copied to clipboard
Published
20 hours ago •
robherring
robherring
SEPolicy build issue
Hi,
I'm building linaro-arm-userdebug with android-7.1.2_r36 and I'm having the following error:
FAILED: /bin/bash -c "(out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/policy.conf ) && (out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates//sepolicy.dontaudit out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/policy.conf.dontaudit ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ \"userdebug\" = \"user\" -a -s out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then echo \"==========\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/sepolicy )"
device/linaro/generic//sepolicy/init-sh.te:3:**ERROR** 'attribute vendor_file_type is not declared' at token ';' on line 21252:
type init-sh_exec, exec_type, vendor_file_type, file_type;
type init-sh, domain;
checkpolicy: error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/linaro_arm/obj/ETC/sepolicy_intermediates/policy.conf
I can overcome this by commenting out the vendor_* related lines in device/linaro/generic/sepolicy/init-sh.te, but when I try to run the resulting images with qemu I'm having SEPolicy issues that may be due to this forced workaround. Here's a snippet of the boot process:
[ 3.056575] Freeing unused kernel memory: 2048K
[ 3.078497] Run /init as init process
[ 3.496801] init: init first stage started!
[ 3.576077] SELinux: Permission validate_trans in class security not defined in policy.
[ 3.577231] SELinux: Permission getrlimit in class process not defined in policy.
[ 3.578055] SELinux: Class process2 not defined in policy.
[ 3.578848] SELinux: Permission map in class file not defined in policy.
[ 3.579642] SELinux: Permission map in class dir not defined in policy.
[ 3.580377] SELinux: Permission map in class lnk_file not defined in policy.
[ 3.581144] SELinux: Permission map in class chr_file not defined in policy.
[ 3.581915] SELinux: Permission map in class blk_file not defined in policy.
[ 3.582626] SELinux: Permission map in class sock_file not defined in policy.
[ 3.583434] SELinux: Permission map in class fifo_file not defined in policy.
[ 3.584168] SELinux: Permission map in class socket not defined in policy.
[ 3.584888] SELinux: Permission map in class tcp_socket not defined in policy.
[ 3.586051] SELinux: Permission map in class udp_socket not defined in policy.
[ 3.586883] SELinux: Permission map in class rawip_socket not defined in policy.
[ 3.587526] SELinux: Permission map in class netlink_socket not defined in policy.
[ 3.588154] SELinux: Permission map in class packet_socket not defined in policy.
[ 3.588771] SELinux: Permission map in class key_socket not defined in policy.
[ 3.589369] SELinux: Permission map in class unix_stream_socket not defined in policy.
[ 3.590234] SELinux: Permission map in class unix_dgram_socket not defined in policy.
[ 3.591215] SELinux: Permission map in class netlink_route_socket not defined in policy.
[ 3.592111] SELinux: Permission map in class netlink_tcpdiag_socket not defined in policy.
[ 3.593048] SELinux: Permission map in class netlink_nflog_socket not defined in policy.
[ 3.593922] SELinux: Permission map in class netlink_xfrm_socket not defined in policy.
[ 3.594830] SELinux: Permission map in class netlink_selinux_socket not defined in policy.
[ 3.596374] SELinux: Permission map in class netlink_iscsi_socket not defined in policy.
[ 3.597280] SELinux: Permission map in class netlink_audit_socket not defined in policy.
[ 3.598078] SELinux: Permission map in class netlink_fib_lookup_socket not defined in policy.
[ 3.598883] SELinux: Permission map in class netlink_connector_socket not defined in policy.
[ 3.599496] SELinux: Permission map in class netlink_netfilter_socket not defined in policy.
[ 3.600442] SELinux: Permission map in class netlink_dnrt_socket not defined in policy.
[ 3.601296] SELinux: Permission map in class netlink_kobject_uevent_socket not defined in policy.
[ 3.601987] SELinux: Permission map in class netlink_generic_socket not defined in policy.
[ 3.602738] SELinux: Permission map in class netlink_scsitransport_socket not defined in policy.
[ 3.603600] SELinux: Permission map in class netlink_rdma_socket not defined in policy.
[ 3.604289] SELinux: Permission map in class netlink_crypto_socket not defined in policy.
[ 3.605066] SELinux: Permission map in class appletalk_socket not defined in policy.
[ 3.606920] SELinux: Permission map in class dccp_socket not defined in policy.
[ 3.607410] SELinux: Permission map in class tun_socket not defined in policy.
[ 3.607787] SELinux: Class cap_userns not defined in policy.
[ 3.608098] SELinux: Class cap2_userns not defined in policy.
[ 3.608333] SELinux: Class sctp_socket not defined in policy.
[ 3.608543] SELinux: Class icmp_socket not defined in policy.
[ 3.608751] SELinux: Class ax25_socket not defined in policy.
[ 3.608958] SELinux: Class ipx_socket not defined in policy.
[ 3.609168] SELinux: Class netrom_socket not defined in policy.
[ 3.609497] SELinux: Class atmpvc_socket not defined in policy.
[ 3.609800] SELinux: Class x25_socket not defined in policy.
[ 3.610068] SELinux: Class rose_socket not defined in policy.
[ 3.610406] SELinux: Class decnet_socket not defined in policy.
[ 3.610726] SELinux: Class atmsvc_socket not defined in policy.
[ 3.611050] SELinux: Class rds_socket not defined in policy.
[ 3.611354] SELinux: Class irda_socket not defined in policy.
[ 3.611678] SELinux: Class pppox_socket not defined in policy.
[ 3.612005] SELinux: Class llc_socket not defined in policy.
[ 3.612306] SELinux: Class can_socket not defined in policy.
[ 3.612617] SELinux: Class tipc_socket not defined in policy.
[ 3.612935] SELinux: Class bluetooth_socket not defined in policy.
[ 3.613332] SELinux: Class iucv_socket not defined in policy.
[ 3.613651] SELinux: Class rxrpc_socket not defined in policy.
[ 3.613958] SELinux: Class isdn_socket not defined in policy.
[ 3.614280] SELinux: Class phonet_socket not defined in policy.
[ 3.614604] SELinux: Class ieee802154_socket not defined in policy.
[ 3.614927] SELinux: Class caif_socket not defined in policy.
[ 3.615811] SELinux: Class alg_socket not defined in policy.
[ 3.616145] SELinux: Class nfc_socket not defined in policy.
[ 3.616404] SELinux: Class vsock_socket not defined in policy.
[ 3.616644] SELinux: Class kcm_socket not defined in policy.
[ 3.616894] SELinux: Class qipcrtr_socket not defined in policy.
[ 3.617147] SELinux: Class smc_socket not defined in policy.
[ 3.617399] SELinux: Class infiniband_pkey not defined in policy.
[ 3.617664] SELinux: Class infiniband_endport not defined in policy.
[ 3.617933] SELinux: Class bpf not defined in policy.
[ 3.618163] SELinux: Class xdp_socket not defined in policy.
[ 3.618460] SELinux: the above unknown classes and permissions will be denied
[ 3.619298] SELinux: policy capability network_peer_controls=1
[ 3.619594] SELinux: policy capability open_perms=1
[ 3.619815] SELinux: policy capability extended_socket_class=0
[ 3.620080] SELinux: policy capability always_check_network=0
[ 3.620328] SELinux: policy capability cgroup_seclabel=0
[ 3.620562] SELinux: policy capability nnp_nosuid_transition=0
[ 3.780787] audit: type=1403 audit(1538556036.540:2): auid=4294967295 ses=4294967295 lsm=selinux res=1
[ 3.821932] init: (Initializing SELinux non-enforcing took 0.32s.)
[ 3.841183] audit: type=1400 audit(1538556036.600:3): avc: denied { map } for pid=1 comm="init" path="/file_contexts.bin" dev="rootfs" ino=4966 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
[ 3.902253] audit: type=1400 audit(1538556036.660:4): avc: denied { map } for pid=1 comm="init" path="/init" dev="rootfs" ino=4968 scontext=u:r:init:s0 tcontext=u:object_r:init_exec:s0 tclass=file permissive=1
[ 3.949475] init: init second stage started!
[ 3.968878] audit: type=1400 audit(1538556036.730:5): avc: denied { map } for pid=1 comm="init" path="/dev/__properties__/u:object_r:opengles_prop:s0" dev="tmpfs" ino=5465 scontext=u:r:init:s0 tcontext=u:object_r:opengles_prop:s0 tclass=file permissive=1
[ 3.974451] audit: type=1400 audit(1538556036.730:6): avc: denied { map } for pid=1 comm="init" path="/dev/__properties__/u:object_r:radio_noril_prop:s0" dev="tmpfs" ino=5466 scontext=u:r:init:s0 tcontext=u:object_r:radio_noril_prop:s0 tclass=file permissive=1
[ 3.977571] audit: type=1400 audit(1538556036.740:7): avc: denied { map } for pid=1 comm="init" path="/dev/__properties__/u:object_r:qemu_prop:s0" dev="tmpfs" ino=5467 scontext=u:r:init:s0 tcontext=u:object_r:qemu_prop:s0 tclass=file permissive=1
[ 3.979872] audit: type=1400 audit(1538556036.740:8): avc: denied { map } for pid=1 comm="init" path="/dev/__properties__/u:object_r:dalvik_prop:s0" dev="tmpfs" ino=5468 scontext=u:r:init:s0 tcontext=u:object_r:dalvik_prop:s0 tclass=file permissive=1
[ 3.982144] audit: type=1400 audit(1538556036.740:9): avc: denied { map } for pid=1 comm="init" path="/dev/__properties__/u:object_r:config_prop:s0" dev="tmpfs" ino=5469 scontext=u:r:init:s0 tcontext=u:object_r:config_prop:s0 tclass=file permissive=1
[ 3.984765] audit: type=1400 audit(1538556036.740:10): avc: denied { map } for pid=1 comm="init" path="/dev/__properties__/u:object_r:nfc_prop:s0" dev="tmpfs" ino=5470 scontext=u:r:init:s0 tcontext=u:object_r:nfc_prop:s0 tclass=file permissive=1
[ 4.103766] init: Running restorecon...
[ 4.493090] init: waitpid failed: No child processes
[ 4.500144] init: (Loading properties from /default.prop took 0.01s.)
[ 4.578983] init: (Parsing /init.environ.rc took 0.00s.)
[ 4.590725] init: (Parsing /init.usb.rc took 0.01s.)
[ 4.594029] init: (Parsing /init.unknown.rc took 0.00s.)
[ 4.608825] init: (Parsing /init.usb.configfs.rc took 0.01s.)
[ 4.612636] init: (Parsing /init.zygote32.rc took 0.00s.)
[ 4.613439] init: (Parsing /init.rc took 0.08s.)
[ 4.712206] ueventd: ueventd started!
[ 6.503184] kauditd_printk_skb: 36 callbacks suppressed
[ 6.503535] audit: type=1400 audit(1538556039.260:47): avc: denied { write } for pid=1 comm="init" name="cpu" dev="proc" ino=4026531922 scontext=u:r:init:s0 tcontext=u:object_r:proc:s0 tclass=dir permissive=1
[ 6.516575] audit: type=1400 audit(1538556039.260:48): avc: denied { add_name } for pid=1 comm="init" name="alignment" scontext=u:r:init:s0 tcontext=u:object_r:proc:s0 tclass=dir permissive=1
[ 6.517649] audit: type=1400 audit(1538556039.280:49): avc: denied { create } for pid=1 comm="init" name="alignment" scontext=u:r:init:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
[ 6.729283] audit: type=1400 audit(1538556039.490:50): avc: denied { create } for pid=1 comm="init" name="cpu.rt_period_us" scontext=u:r:init:s0 tcontext=u:object_r:cgroup:s0 tclass=file permissive=1
[ 6.786755] audit: type=1400 audit(1538556039.550:51): avc: denied { module_request } for pid=1 comm="init" kmod="fs-cpuset" scontext=u:r:init:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1
[ 7.917265] audit: type=1400 audit(1538556040.680:52): avc: denied { map } for pid=66 comm="healthd" path="/sbin/healthd" dev="rootfs" ino=4981 scontext=u:r:healthd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
[ 8.051816] audit: type=1400 audit(1538556040.810:53): avc: denied { map } for pid=67 comm="adbd" path="/sbin/adbd" dev="rootfs" ino=4980 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
[ 8.115873] audit: type=1400 audit(1538556040.870:54): avc: denied { map } for pid=66 comm="healthd" path="/dev/__properties__/properties_serial" dev="tmpfs" ino=5500 scontext=u:r:healthd:s0 tcontext=u:object_r:properties_serial:s0 tclass=file permissive=1
[ 8.194399] audit: type=1400 audit(1538556040.950:55): avc: denied { map } for pid=66 comm="healthd" path="/dev/binder" dev="tmpfs" ino=5542 scontext=u:r:healthd:s0 tcontext=u:object_r:binder_device:s0 tclass=chr_file permissive=1
[ 8.205283] binder: 66:66 transaction failed 29189/-22, size 0-0 line 2855
[ 8.255899] audit: type=1400 audit(1538556041.010:56): avc: denied { map } for pid=67 comm="adbd" path="/dev/__properties__/properties_serial" dev="tmpfs" ino=5500 scontext=u:r:adbd:s0 tcontext=u:object_r:properties_serial:s0 tclass=file permissive=1
[ 9.231615] binder: 66:66 transaction failed 29189/-22, size 0-0 line 2855
[ 9.270079] ueventd: Coldboot took 4.52s.
[ 10.235870] binder: 66:66 transaction failed 29189/-22, size 0-0 line 2855
[ 11.237537] binder: 66:66 transaction failed 29189/-22, size 0-0 line 2855
[ 12.238884] binder: 66:66 transaction failed 29189/-22, size 0-0 line 2855
Basically at the end of the boot process I get this binder message over and over and nothing is displayed in the emulator.
Any ideas?
You need to look at your working device in /system/etc/selinux files plat_property_context , plat_seapp_context , plat_sepolicy_cill , plat_service_context
