Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Blame Permalink
  • Nick Kralevich's avatar
    543faccc
    allow init tmpfs:dir relabelfrom · 543faccc
    Nick Kralevich authored 
    When encrypting a device, or when an encrypted device boots,
a tmpfs is mounted in place of /data, so that a pseudo filesystem
exists to start system_server and related components. SELinux labels
need to be applied to that tmpfs /data so the system boots
properly.

Allow init to relabel a tmpfs /data.

Addresses the following denial:

[    6.294896] type=1400 audit(29413651.850:4): avc:  denied  { relabelfrom } for  pid=1 comm="init" name="/" dev="tmpfs" ino=6360 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir

Steps to reproduce:
  1) Go into Settings > Security > Encrypt Phone
  2) Encrypt phone
  3) See denial
  4) reboot phone
  5) See denial on boot

Bug: 19050686
Change-Id: Ie57864fe1079d9164d5cfea44683a97498598e41
    543faccc
    History
    allow init tmpfs:dir relabelfrom
    Nick Kralevich authored 
    When encrypting a device, or when an encrypted device boots,
a tmpfs is mounted in place of /data, so that a pseudo filesystem
exists to start system_server and related components. SELinux labels
need to be applied to that tmpfs /data so the system boots
properly.

Allow init to relabel a tmpfs /data.

Addresses the following denial:

[    6.294896] type=1400 audit(29413651.850:4): avc:  denied  { relabelfrom } for  pid=1 comm="init" name="/" dev="tmpfs" ino=6360 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir

Steps to reproduce:
  1) Go into Settings > Security > Encrypt Phone
  2) Encrypt phone
  3) See denial
  4) reboot phone
  5) See denial on boot

Bug: 19050686
Change-Id: Ie57864fe1079d9164d5cfea44683a97498598e41
init.te 8.92 KiB