Re: [Regression?] 1ea0ce4069 ("selinux: allow changing labels for cgroupfs") stops Android from booting

From: John Stultz
Date: Fri Feb 24 2017 - 23:30:44 EST

Next message: Josh Poimboeuf: "[PATCH] objtool: prevent gcc from merging annotate_unreachable()"
Previous message: Guenter Roeck: "Re: [PATCH 4.10 00/21] 4.10.1-stable review"
In reply to: Nick Kralevich: "Re: [Regression?] 1ea0ce4069 ("selinux: allow changing labels for cgroupfs") stops Android from booting"
Next in thread: Stephen Smalley: "Re: [Regression?] 1ea0ce4069 ("selinux: allow changing labels for cgroupfs") stops Android from booting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 24, 2017 at 7:39 PM, Nick Kralevich <nnk@xxxxxxxxxx> wrote:
> Can you try adding the androidboot.selinux=permissive line to the kernel
> command line, to boot in permissive mode? I suspect the policy just needs to
> be adjusted.

Yep. It does seem to boot fine in permissive mode, just not in enforcing.

Any clues as to what might need to be tweaked policy-wise?

I know selinux is sort of special, as its all about restricting
functionality, but this still "feels" a little bit like a regression
though, as userspace that worked before suddenly stopped working. I
don't want to throw a wrench in things and am ok if we can sort out
the policy changes, but longer term, it makes it hard to advocate for
devices to update their kernel if new kernels aren't going to just
work.

thanks
-john

Next message: Josh Poimboeuf: "[PATCH] objtool: prevent gcc from merging annotate_unreachable()"
Previous message: Guenter Roeck: "Re: [PATCH 4.10 00/21] 4.10.1-stable review"
In reply to: Nick Kralevich: "Re: [Regression?] 1ea0ce4069 ("selinux: allow changing labels for cgroupfs") stops Android from booting"
Next in thread: Stephen Smalley: "Re: [Regression?] 1ea0ce4069 ("selinux: allow changing labels for cgroupfs") stops Android from booting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]