9

I am unable to make sense of this message which I get on my android application. Any experts in the house ? 

type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0
matdev
  • 4,115
  • 6
  • 35
  • 56
Jay
  • 325
  • 2
  • 9

3 Answers3

18

The given SELinux violation:

type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0

Below I'll try to give explanation of important parts of above violation:

denied { create } : Operation Permission State : The denied permission that was requested / executed. In this case, it is a create operation. SELinux denying permission to execute create dir/file operation.

name="access_control.new_commit.cv": Target name : The name of the target (in this case, the file/dir name) which your application, probably, trying to create.

scontext=u:r:untrusted_app:s0 : Source Context : The Source Context for this security violation. This indicates which domain/process is trying to execute create functionality. Here, untrusted_app applications are those which are launched by zygote

tcontext=u:object_r:fuse:s0 : Target Context : The security context of the target resource (in this case the file). Here, the source tried to create file in Fuse file system which has been denied.

tclass=fifo_file : Target Class : The class of the target.

In one sentence, SELinux denied the permission to untrusted_app to create the access_control.new_commit.cv file in fuse.

From Google source, check SEPolicy file untrusted_app.te how the permission has been denied.

NB: If you any suggestion with the answer, let me know.

Hamid Shatu
  • 9,664
  • 4
  • 30
  • 41
  • 2
    Thanks.This happened when I try to write to realm file the first time. But when I come around second time I am able to write to REalm DB. So why does it happens only first time time around when application is launched. – Jay Aug 07 '17 at 03:45
5

According to Validating SELinux  |  Android Open Source Project, for message:

type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0

the key info is:

  • Action: create
  • Actor=scontext=source context: untrusted_app
  • Object=tcontext=target context: fuse
    • object_r=object read ?
  • Result=tclass=target class: fifo_file=FIFO file
  • permissive=permissive mode: 0 -> NOT permissive mode
    • -> is Enforce mode ?

translated to human readable sentence:

untrusted_app want to create a fifo_file for fuse

(But enforce mode of Android SELinux STOP it for no permission, so you see above logcat log info)

crifan
  • 12,947
  • 1
  • 71
  • 56
2

I could add that running audit2allow on the error message will give you a suggestion on how to update the untrusted_app.te file.

Dump dmesg to text file:

dmesg > /sdcard/dmesg.txt

cat dmesg.txt | grep avc | audit2allow

will give you the following result in this case:

#============= untrusted_app ==============
allow untrusted_app fuse:fifo_file create;

Add this line to untrusted_app.te and rebuild the Android kernel!

Matzone
  • 21
  • 2
  • `audit2allow` isn't present on my Android device, so I `adb pull`ed the `dmesg.txt` to WSL. I had to install `audit2allow` using `sudo apt install policycoreutils-python-utils`. I also needed to grab the policy file `adb pull /sys/fs/selinux/policy`, then change the call to `audit2allow -p policy`. – cod3monk3y May 04 '22 at 19:08
  • From the [AOSP docs](https://source.android.com/security/selinux/validate#using_audit2allow), "_Note: audit2allow is not provided as part of AOSP anymore. Use the package supplied by your Linux distribution (package policycoreutils-python-utils on Debian and Ubuntu)._" – cod3monk3y May 04 '22 at 19:09
  • Also note: untrusted_app.te [is located in](https://stackoverflow.com/q/64275449/1174169) `/system/sepolicy/private/untrusted_app.te`, which is not accessible (at least for me) on non-rooted devices. – cod3monk3y May 04 '22 at 19:17