Thanks Nick. will try out your suggestions.
On Tuesday, October 13, 2015 at 1:54:47 PM UTC-5, Nick Kralevich wrote: > > > This was covered on the seandroid mailing list. Please see > https://www.mail-archive.com/[email protected]/msg02418.html > > A few things you can do: > > 1) Patch the kernel to not attempt module loading for alternate execution > environments. This code never worked in the kernel anyway, so no harm in > pulling it. Something like: > > diff --git a/kernel/exec_domain.c b/kernel/exec_domain.c > index 0dbeae3..a66ea19 100644 > --- a/kernel/exec_domain.c > +++ b/kernel/exec_domain.c > @@ -68,7 +68,8 @@ > goto out; > } > > -#ifdef CONFIG_MODULES > + > +#if 0 > read_unlock(&exec_domains_lock); > request_module("personality-%d", pers); > read_lock(&exec_domains_lock); > > 2) Add a dontaudit SELinux rule to suppress these: > > Add the following to your device specific policy: > > dontaudit domain kernel:system module_request; > > However, please read > https://www.mail-archive.com/[email protected]/msg02433.html > before doing so. > > 3) Backport the patches from > https://www.mail-archive.com/[email protected]/msg02418.html > > -- Nick > > On Monday, October 12, 2015 at 8:55:28 PM UTC-7, Vishal Mahaveer wrote: >> >> Hi, >> >> >> In Android-M, below change in bionic was introduced >> >> https://android-review.googlesource.com/122131 >> >> >> >> Which caused lot of SELinux denials to be logged regarding module_request >> (similar to below one) for 32bit systems, There is quite a lot of >> module_request denials when any 32bit executable is executed. >> >> >> >> type=1400 audit(946685139.719:12): avc: denied { module_request } for >> pid=1970 comm="tzdatacheck" kmod="personality-8" >> scontext=u:r:tzdatacheck:s0 tcontext=u:r:kernel:s0 tclass=system >> permissive=1 >> >> >> >> >> The issue is discussed here >> >> http://marc.info/?t=144190478400004&r=1&w=2 >> >> >> >> For kernel version < 4.0, is there any resolution available for resolving >> these denials with out having to backport the removal of execution domain >> patches from kernel 4.0? >> >> Is adding a dontaudit for kernel module_request good option? >> >> >> In our system disabling modules (CONFIG_MODULES=n) is currently not an >> option. >> >> >> >> >> Regards, >> >> Vishal >> > -- -- unsubscribe: [email protected] website: http://groups.google.com/group/android-porting --- You received this message because you are subscribed to the Google Groups "android-porting" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
