Re: [Regression?] 1ea0ce4069 ("selinux: allow changing labels for cgroupfs") stops Android from booting

From: John Stultz
Date: Fri Feb 24 2017 - 21:01:43 EST


On Thu, Feb 23, 2017 at 4:01 PM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Thu, Feb 23, 2017 at 1:43 PM, John Stultz <john.stultz@xxxxxxxxxx> wrote:
>> Hey folks,
>> I've not been able to figure out why yet, but I wanted to raise the
>> issue that last night I found I couldn't boot Android on my Hikey
>> board with Linus' HEAD kernel. It seems to cause logd to crash
>> repeatedly so I'm not able to get debug info from logcat.
>>
>> I do see the following over and over on the console:
>>
>> [ 12.505838] init: computing context for service 'logd'
>> [ 12.506355] init: starting service 'logd'...
>> [ 12.507683] init: property_set("ro.boottime.logd", "12500792498")
>> failed: property already set
>> [ 12.508701] init: Created socket '/dev/socket/logd', mode 666, user
>> 1036, group 1036
>> [ 12.509294] init: Created socket '/dev/socket/logdr', mode 666,
>> user 1036, group 1036
>> [ 12.509891] init: Created socket '/dev/socket/logdw', mode 222,
>> user 1036, group 1036
>> [ 12.510132] init: Opened file '/proc/kmsg', flags 0
>> [ 12.510187] init: Opened file '/dev/kmsg', flags 1
>> [ 12.510353] init: couldn't write 1941 to
>> /dev/cpuset/system-background/tasks: No such file or directory
>> [ 12.533046] init: Service 'logd' (pid 1941) exited with status 255
>>
>>
>> I did some bisection and narrowed it down to 1ea0ce4069 ("selinux:
>> allow changing labels for cgroupfs"), which was merged in yesterday.
>> I've not yet been able to figure out the root cause, but reverting
>> that patch makes things work again.
>>
>> So I wanted to raise the issue here so folks were aware.
>>
>> If there is anything folks want me to test or try, please let me know.
>
> Unfortunately I don't have an Android test system to play with, have
> any of the SEAndroid folks on the To/CC line seen a similar problem?

So from my very limited knowledge here, adding the patch in question
seems to make the cgroup mount get the SBLABEL_MNT flag?
Which I'm guessing this is causing additional selinux restrictions on
processes accessing cgroup mounts, which causes some of the early
initialization processes to fail?

Should this change mean the selinux policy needs to be updated?

thanks
-john