question about this crash,stuck at logo asus but i can get the log
here is the log
--------- beginning of main
__bionic_open_tzdata: couldn't find any tzdata when looking for localtime!
__bionic_open_tzdata: couldn't find any tzdata when looking for GMT!
__bionic_open_tzdata: couldn't find any tzdata when looking for posixrules!
E/ServiceManager( 0): failed to open binder driver
W/auditd ( 252): type=2000 audit(0.0:1): initialized
I/auditd ( 252): type=1403 audit(0.0:2): policy loaded auid=4294967295 ses=4294967295
W/lmkd ( 254): type=1400 audit(0.0:3): avc: denied { execmem } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=process result=0
W/lmkd ( 254): type=1400 audit(0.0:5): avc: denied { execmem } for scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=process result=0
W/servicemanager( 255): type=1400 audit(0.0:4): avc: denied { execmem } for scontext=u:r:servicemanager:s0 tcontext=u:r:servicemanager:s0 tclass=process result=0
W/surfaceflinger( 257): type=1400 audit(0.0:6): avc: denied { execmem } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:surfaceflinger:s0 tclass=process result=0
W/logd ( 252): type=1400 audit(0.0:7): avc: denied { execmem } for scontext=u:r:logd:s0 tcontext=u:r:logd:s0 tclass=process result=0
W/lmkd ( 254): type=1400 audit(0.0:8): avc: denied { module_request } for kmod="personality-8" scontext=u:r:lmkd:s0 tcontext=u:r:kernel:s0 tclass=system result=0
W/surfaceflinger( 257): type=1400 audit(0.0:9): avc: denied { module_request } for kmod="personality-8" scontext=u:r:surfaceflinger:s0 tcontext=u:r:kernel:s0 tclass=system result=0
W/servicemanager( 255): type=1400 audit(0.0:11): avc: denied { module_request } for kmod="personality-8" scontext=u:r:servicemanager:s0 tcontext=u:r:kernel:s0 tclass=system result=0
I/lowmemorykiller( 0): Using in-kernel low memory killer interface
W/keystore( 273): type=1400 audit(0.0:12): avc: denied { execmem } for scontext=u:r:keystore:s0 tcontext=u:r:keystore:s0 tclass=process result=0
W/sdcard ( 280): type=1400 audit(0.0:13): avc: denied { execmem } for scontext=u:r:sdcardd:s0 tcontext=u:r:sdcardd:s0 tclass=process result=0
W/debuggerd( 276): type=1400 audit(0.0:14): avc: denied { execmem } for scontext=u:r:debuggerd:s0 tcontext=u:r:debuggerd:s0 tclass=process result=0
W/sdcard ( 280): type=1400 audit(0.0:15): avc: denied { module_request } for kmod="personality-8" scontext=u:r:sdcardd:s0 tcontext=u:r:kernel:s0 tclass=system result=0
W/keystore( 273): type=1400 audit(0.0:16): avc: denied { module_request } for kmod="personality-8" scontext=u:r:keystore:s0 tcontext=u:r:kernel:s0 tclass=system result=0
W/netd ( 275): type=1400 audit(0.0:17): avc: denied { execmem } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=process result=0
W/installd( 278): type=1400 audit(0.0:18): avc: denied { execmem } for scontext=u:r:installd:s0 tcontext=u:r:installd:s0 tclass=process result=0
W/sh ( 274): type=1400 audit(0.0:19): avc: denied { module_request } for kmod="personality-8" scontext=u:r:shell:s0 tcontext=u:r:kernel:s0 tclass=system result=0
W/installd( 278): type=1400 audit(0.0:20): avc: denied { module_request } for kmod="personality-8" scontext=u:r:installd:s0 tcontext=u:r:kernel:s0 tclass=system result=0
I/installd( 278): installd firing up
I/ ( 276): debuggerd: Apr 8 2016 14:47:26
--------- beginning of system
I/sdcard ( 280): [fuse_debug]fuse.free_size =2991951872
E/sdcard ( 280): missing packages.list; retrying
E/sdcard ( 280): missing packages.list; retrying
W/surfaceflinger( 314): type=1400 audit(0.0:28): avc: denied { execmem } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:surfaceflinger:s0 tclass=process result=0
W/servicemanager( 312): type=1400 audit(0.0:29): avc: denied { module_request } for kmod="personality-8" scontext=u:r:servicemanager:s0 tcontext=u:r:kernel:s0 tclass=system result=0
W/surfaceflinger( 314): type=1400 audit(0.0:30): avc: denied { module_request } for kmod="personality-8" scontext=u:r:surfaceflinger:s0 tcontext=u:r:kernel:s0 tclass=system result=0
E/ServiceManager( 312): failed to open binder driver
W/mediaserver( 320): type=1400 audit(0.0:31): avc: denied { execmem } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=process result=0
W/app_process( 329): type=1400 audit(0.0:32): avc: denied { module_request } for kmod="personality-8" scontext=u:r:zygote:s0 tcontext=u:r:kernel:s0 tclass=system result=0
E/sdcard ( 280): missing packages.list; retrying
E/ServiceManager( 339): failed to open binder driver
E/sdcard ( 280): missing packages.list; retrying
W/sh ( 356): type=1400 audit(0.0:33): avc: denied { execmem } for scontext=u:r:adbd:s0 tcontext=u:r:adbd:s0 tclass=process result=0
W/keystore( 348): type=1400 audit(0.0:34): avc: denied { module_request } for kmod="personality-8" scontext=u:r:keystore:s0 tcontext=u:r:kernel:s0 tclass=system result=0
E/sdcard ( 280): missing packages.list; retrying
E/ServiceManager( 372): failed to open binder driver
I/SurfaceFlinger( 374): SurfaceFlinger is starting
I/SurfaceFlinger( 374): SurfaceFlinger's main thread ready to run. Initializing graphics H/W...
F/libEGL ( 374): couldn't find an OpenGL ES implementation
--------- beginning of crash
F/libc ( 374): Fatal signal 6 (SIGABRT), code 0 in tid 374 (surfaceflinger)
I/DEBUG ( 276): failed to change ownership of /data/tombstones: Read-only file system
Click to expand...
Click to collapse
HagameHyuma said:
question about this crash,stuck at logo asus but i can get the log
here is the log
Click to expand...
Click to collapse
you have 2x fatal error, but i dont know if are the problem, you should PM tank or dgadelha
I've seen people recommending to set selinux to permissive to solve camera lag on Oreo rooted with Magisk.
I think that's a pretty bad idea since it completely defeats having selinux at all. Permissive selinux + root is an especially dangerous combination, as explained here by @Jman420.
Now I'm no selinux expert, but I think what would be much better is to explicitly only enable the required permissions.
While looking for this I came across this commit on the sony sepolicy, which explicitly enables some selinux policies to fix camera denials.
Magisk supports modifying selinux policies at runtime using the `magiskpolicy` command. To make this work we should make a magisk module that runs some `magiskpolicy` commands, so effectively we need to translate the granted policies from the linked commit to `magiskpolicy` commands.
This is where I got stuck a little and could use some help.
I tried this:
Code:
magiskpolicy --live "allow hal_camera_default vndbinder_device chr_file { read write }”
magiskpolicy --live "allow hal_camera_default camera_prop file { read }”
magiskpolicy --live "allow hal_camera_default property_socket sock_file { write }”
magiskpolicy --live "allow hal_camera_default gpu_device chr_file { read write }”
magiskpolicy --live "allow hal_camera_default sysfs file { read }”
magiskpolicy --live "allow hal_camera_default hal_graphics_mapper_hwservice hwservice_manager { find }”
magiskpolicy --live "allow hal_camera_default qdisplay_service service_manager { find }”
magiskpolicy --live "allow vndservicemanager hal_camera_default dir { search }”
magiskpolicy --live "allow vndservicemanager hal_camera_default file { read }”
magiskpolicy --live "allow vndservicemanager hal_camera_default process { getattr }”
But that didn't fix the camera lag.
This does fix it (largely):
Code:
magiskpolicy --live "permissive camera_prop"
magiskpolicy --live "permissive hal_camera_default"
But obviously this is also shotgun surgery. Anyone with more selinux knowledge willing to chime in here? Perhaps @topjohnwu or @Jman420?
From your quoted article it sounds like It does seem to not matter too, too much though.. Basically once a malicious app has root priviliges it can circumvent selinux anyways..
Anyways, I hope you get this solved. I'm on permissive & root and more security is always better!
The post mentions that running rooted at all is a liability and that's true, but with selinux permissive mode it's even worse.
It might not make a huge difference, but if we can have a good camera experience with selinux enabled I'd prefer that.
I haven't had time to look into this further, but for now I'm running with permissive camera_prop and hal_camera_default only and it's working fine.
Hi. I use Magisk and I have been facing the camera lag issue as well after upgrading to Oreo. Now I am not a dev in any way and this may sound like an insanely noob question but where and how exactly do I enter the magiskpolicy commands to fix the camera issue? I am willing to try OP's solution. Do I have to download a terminal emulator or something like that?
Yes, you can do it in Terminal emulator.
Type in "su", then grant root-priliviges and then type in the two line of code mentioned above.
For me it works till the next reboot.
Pyrb said:
I've seen people recommending to set selinux to permissive to solve camera lag on Oreo rooted with Magisk.
I think that's a pretty bad idea since it completely defeats having selinux at all. Permissive selinux + root is an especially dangerous combination, as explained here by @Jman420.
Now I'm no selinux expert, but I think what would be much better is to explicitly only enable the required permissions.
While looking for this I came across this commit on the sony sepolicy, which explicitly enables some selinux policies to fix camera denials.
Magisk supports modifying selinux policies at runtime using the `magiskpolicy` command. To make this work we should make a magisk module that runs some `magiskpolicy` commands, so effectively we need to translate the granted policies from the linked commit to `magiskpolicy` commands.
This is where I got stuck a little and could use some help.
I tried this:
Code:
magiskpolicy --live "allow hal_camera_default vndbinder_device chr_file { read write }”
magiskpolicy --live "allow hal_camera_default camera_prop file { read }”
magiskpolicy --live "allow hal_camera_default property_socket sock_file { write }”
magiskpolicy --live "allow hal_camera_default gpu_device chr_file { read write }”
magiskpolicy --live "allow hal_camera_default sysfs file { read }”
magiskpolicy --live "allow hal_camera_default hal_graphics_mapper_hwservice hwservice_manager { find }”
magiskpolicy --live "allow hal_camera_default qdisplay_service service_manager { find }”
magiskpolicy --live "allow vndservicemanager hal_camera_default dir { search }”
magiskpolicy --live "allow vndservicemanager hal_camera_default file { read }”
magiskpolicy --live "allow vndservicemanager hal_camera_default process { getattr }”
But that didn't fix the camera lag.
This does fix it (largely):
Code:
magiskpolicy --live "permissive camera_prop"
magiskpolicy --live "permissive hal_camera_default"
But obviously this is also shotgun surgery. Anyone with more selinux knowledge willing to chime in here? Perhaps @topjohnwu or @Jman420?
Click to expand...
Click to collapse
Thanks! Those two lines worked for me too using terminal emulator. Did you finally make a Magisk module that do this at start up? If you did may you upload here until a better solution is found? Thanks. Best regards.
I have made it into an app.
Here: https://forum.xda-developers.com/mi-a1/themes/fix-camera-delay-boot-t3742022
Give it root permission after installing. It will run the code every time the device reboots.
Thanks for that fix. I made a magisk module that'll run this on startup, feel free to use this (at your own risk)
Code:
magiskpolicy --live "permissive camera_prop"
magiskpolicy --live "permissive hal_camera_default"
Credit for the fix goes to @Pyrb - I only put his fix into a magisk module
EDIT: taken offline for now. Gonna need to investigate something first.
File reuploaded. I had a bootloop after a second reboot but it worked without any issues since. So use at your own risk:
arnabJ said:
I have made it into an app.
Here: https://forum.xda-developers.com/mi-a1/themes/fix-camera-delay-boot-t3742022
Give it root permission after installing. It will run the code every time the device reboots.
Click to expand...
Click to collapse
Thanksssssss
Pyrb said:
I've seen people recommending to set selinux to permissive to solve camera lag on Oreo rooted with Magisk.
I think that's a pretty bad idea since it completely defeats having selinux at all. Permissive selinux + root is an especially dangerous combination, as explained here by @Jman420.
Now I'm no selinux expert, but I think what would be much better is to explicitly only enable the required permissions.
While looking for this I came across this commit on the sony sepolicy, which explicitly enables some selinux policies to fix camera denials.
Magisk supports modifying selinux policies at runtime using the `magiskpolicy` command. To make this work we should make a magisk module that runs some `magiskpolicy` commands, so effectively we need to translate the granted policies from the linked commit to `magiskpolicy` commands.
This is where I got stuck a little and could use some help.
I tried this:
Code:
magiskpolicy --live "allow hal_camera_default vndbinder_device chr_file { read write }”
magiskpolicy --live "allow hal_camera_default camera_prop file { read }”
magiskpolicy --live "allow hal_camera_default property_socket sock_file { write }”
magiskpolicy --live "allow hal_camera_default gpu_device chr_file { read write }”
magiskpolicy --live "allow hal_camera_default sysfs file { read }”
magiskpolicy --live "allow hal_camera_default hal_graphics_mapper_hwservice hwservice_manager { find }”
magiskpolicy --live "allow hal_camera_default qdisplay_service service_manager { find }”
magiskpolicy --live "allow vndservicemanager hal_camera_default dir { search }”
magiskpolicy --live "allow vndservicemanager hal_camera_default file { read }”
magiskpolicy --live "allow vndservicemanager hal_camera_default process { getattr }”
But that didn't fix the camera lag.
This does fix it (largely):
Code:
magiskpolicy --live "permissive camera_prop"
magiskpolicy --live "permissive hal_camera_default"
But obviously this is also shotgun surgery. Anyone with more selinux knowledge willing to chime in here? Perhaps @topjohnwu or @Jman420?
Click to expand...
Click to collapse
I've discovered that only this line is required:
Code:
magiskpolicy --live "permissive hal_camera_default"
or
Code:
magiskpolicy --live "allow hal_camera_default * * *"
I wasn't able to narrow it down further to which target needed to be allowed. dmesg and kmsg only had one target for hal_camera_default but allowing that didn't fix it.
Localhorst86 said:
Thanks for that fix. I made a magisk module that'll run this on startup, feel free to use this (at your own risk)
Credit for the fix goes to @Pyrb - I only put his fix into a magisk module
EDIT: taken offline for now. Gonna need to investigate something first.
File reuploaded. I had a bootloop after a second reboot but it worked without any issues since. So use at your own risk:
Click to expand...
Click to collapse
Thanks. This works well and no bootloops.
Google camera doesn't seem to work for me if i don't install permissive script. Will this eliminate the need of permissive script for google camera?
ashu.mkb said:
Google camera doesn't seem to work for me if i don't install permissive script. Will this eliminate the need of permissive script for google camera?
Click to expand...
Click to collapse
yes it will.. but u will need camera2 api enabled for gcam to work
---------- Post added at 12:42 PM ---------- Previous post was at 11:55 AM ----------
justin97530 said:
I've discovered that only this line is required:
Code:
magiskpolicy --live "permissive hal_camera_default"
or
Code:
magiskpolicy --live "allow hal_camera_default * * *"
I wasn't able to narrow it down further to which target needed to be allowed. dmesg and kmsg only had one target for hal_camera_default but allowing that didn't fix it.
Click to expand...
Click to collapse
which target was it? can you tell me?
coolkoushik07 said:
yes it will.. but u will need camera2 api enabled for gcam to work
---------- Post added at 12:42 PM ---------- Previous post was at 11:55 AM ----------
which target was it? can you tell me?
Click to expand...
Click to collapse
It was `search` for`qti_debugfs` of type `dir`, but allowing that didn't fix it.
BlackoutOl said:
Yes, you can do it in Terminal emulator.
Type in "su", then grant root-priliviges and then type in the two line of code mentioned above.
For me it works till the next reboot.
Click to expand...
Click to collapse
Where is the magiskpolicy binary meant to be? I'm using Termux that I downloaded from F-Droid and it doesn't seem to be on the path
edit: sorry, it's just in /sbin. not sure why that wasn't on my path.
Localhorst86 said:
Thanks for that fix. I made a magisk module that'll run this on startup, feel free to use this (at your own risk)
Code:
magiskpolicy --live "permissive camera_prop"
magiskpolicy --live "permissive hal_camera_default"
Credit for the fix goes to @Pyrb - I only put his fix into a magisk module
EDIT: taken offline for now. Gonna need to investigate something first.
File reuploaded. I had a bootloop after a second reboot but it worked without any issues since. So use at your own risk:
Click to expand...
Click to collapse
Thank you so much. Both of you guys. Yesterday I unlocked and rooted my phone and after I completed my new setup (I did a factory reset too) I came up to this camera lag issue.
Lucky us, xda is here.
Installed that module in Magisk and worked. Only thing to mention is a bootloop οn firtst boot. After that everything was ok.
start time of camera didn't reduce after applying fix in my case.(both in stock camera & Gcam).
I clean flashed & rooted. Then when i applied cam2 API, & start using Gcam or stock, i saw lag in starting. Even i see lag when i click setting in both camera.
Code:
magiskpolicy --live "permissive camera_prop"
magiskpolicy --live "permissive hal_camera_default"
Both didn't fix any lag.
Also tried
Code:
magiskpolicy --live "allow hal_camera_default surfaceflinger_service service_manager find"
That also didn't fix any lag.
Code:
magiskpolicy --live "allow hal_camera_default * * *"
Above fixed Camera Lag for me. I made a Magisk Module for that.
.:Addicted:. said:
Code:
magiskpolicy --live "allow hal_camera_default * * *"
Above fixed Camera Lag for me. I made a Magisk Module for that.
Click to expand...
Click to collapse
I downloaded directly from Magisk's downloads.
Have you created it?
https://github.com/Magisk-Modules-Repo/MI-A1-Camera-Startup-Lag-Oreo
My camera lag fixed after watching this video
Watch this video:
I am using LineageOS 14 on my Galaxy S5 and while I do have the directory /system/etc/init.d , its scripts are not executed on startup as one would expect.
Searching different forums didn't lead to much beyond installing some random person's script with root permission or doing hacks.
I've invested sometime to get init.d work on my phone and wanted to share the how to with you:
Prerequisite:
Root access (shell) [ I am using addonsu-14.1-arm if that make a difference ]
LineageOS 14 (not tested on other versions but should work)
Steps:
1. mount your system partition as read/write
Code:
mount -oremount,rw /system
2. go to init directory
Code:
cd /system/etc/init/
3. create file init_d.rc with following content
Code:
service init_d /system/bin/sh /system/bin/sysinit
user root
group root
disabled
oneshot
seclabel u:r:sudaemon:s0
on property:sys.boot_completed=1 && property:sys.logbootcomplete=1
start init_d
That's it.
Explanation:
/system/etc/init/ is android's version of linux's init.d but it have very different syntax and restricted set of commands.
the file init_d define a service called init_d which basically execute sysinit script (the script responsible for running /etc/init.d/ scripts).
the service is set to be disabled so it won't run by default. Finally I say that when the system finish booting start the service. the oneshot keyword is important because without the system will keep executing sysinit each time it exit.
the seclabel define SELinux label for this service, this one should give it full access
I tried this on a lineage 15.1 build and followed all steps , it did not work.
Worked like a charm!
I needed it to run swapon once (to free some unused RAM) without modifying any system files, only adding new ones, so system updates wouldn't overwrite the configuration.
Thank you very much!
Running LineageOS 15.1, 2018-11-30 nightly build on griffin (XT1650-3).
ramast_ said:
I am using LineageOS 14 on my Galaxy S5 and while I do have the directory /system/etc/init.d , its scripts are not executed on startup as one would expect.
Searching different forums didn't lead to much beyond installing some random person's script with root permission or doing hacks.
I've invested sometime to get init.d work on my phone and wanted to share the how to with you:
Prerequisite:
Root access (shell) [ I am using addonsu-14.1-arm if that make a difference ]
LineageOS 14 (not tested on other versions but should work)
Steps:
1. mount your system partition as read/write
Code:
mount -oremount,rw /system
2. go to init directory
Code:
cd /system/etc/init/
3. create file init_d.rc with following content
Code:
service init_d /system/bin/sh /system/bin/sysinit
user root
group root
disabled
oneshot
seclabel u:r:sudaemon:s0
on property:sys.boot_completed=1 && property:sys.logbootcomplete=1
start init_d
That's it.
Explanation:
/system/etc/init/ is android's version of linux's init.d but it have very different syntax and restricted set of commands.
the file init_d define a service called init_d which basically execute sysinit script (the script responsible for running /etc/init.d/ scripts).
the service is set to be disabled so it won't run by default. Finally I say that when the system finish booting start the service. the oneshot keyword is important because without the system will keep executing sysinit each time it exit.
the seclabel define SELinux label for this service, this one should give it full access
Click to expand...
Click to collapse
Thank you so much !
ramast_ said:
I am using LineageOS 14 on my Galaxy S5 and while I do have the directory /system/etc/init.d , its scripts are not executed on startup as one would expect.
Searching different forums didn't lead to much beyond installing some random person's script with root permission or doing hacks.
I've invested sometime to get init.d work on my phone and wanted to share the how to with you:
Prerequisite:
Root access (shell) [ I am using addonsu-14.1-arm if that make a difference ]
LineageOS 14 (not tested on other versions but should work)
Steps:
1. mount your system partition as read/write
Code:
mount -oremount,rw /system
2. go to init directory
Code:
cd /system/etc/init/
3. create file init_d.rc with following content
Code:
service init_d /system/bin/sh /system/bin/sysinit
user root
group root
disabled
oneshot
seclabel u:r:sudaemon:s0
on property:sys.boot_completed=1 && property:sys.logbootcomplete=1
start init_d
That's it.
Explanation:
/system/etc/init/ is android's version of linux's init.d but it have very different syntax and restricted set of commands.
the file init_d define a service called init_d which basically execute sysinit script (the script responsible for running /etc/init.d/ scripts).
the service is set to be disabled so it won't run by default. Finally I say that when the system finish booting start the service. the oneshot keyword is important because without the system will keep executing sysinit each time it exit.
the seclabel define SELinux label for this service, this one should give it full access
Click to expand...
Click to collapse
You are great bro !
I try it on lineage os 14.1 on moto G and it works !
I tried many ways to do this but all of them are not effective, thanks
Lordlight said:
You are great bro !
I try it on lineage os 14.1 on moto G and it works !
I tried many ways to do this but all of them are not effective, thanks
Click to expand...
Click to collapse
I am glad you found it useful.
ramast_ said:
I am glad you found it useful.
Click to expand...
Click to collapse
Hi, i have a prblem with this:
The script run BEFORE the bootanimation finished, i need run AFTER the fully animation is finished. What need i do ?
There is a process responsible for showing bootanimation, I don't remember exact process name but should contain word "animation" in it.
Once you figured out its name, you can make your script check every second - in a while loop - if that process is running or not. Once the process stopped, you can assume that bootanimation has stopped.
There might be a better way but I honestly don't know.
the seclabel define SELinux label for this service, this one should give it full access
Click to expand...
Click to collapse
Hey,
I tried your solution on the following LineageOS version:
Code:
Android 7.1.2
14.1-20190207-NIGHTLY-falcon
Linux version 3.4.113-g22bc4ed ([email protected]) (gcc version 4.9 20150123 (prerelease) (GCC) ) #1 SMP PREEMPT Thu Feb 7 14:09:49 UTC 2019
Scripts in /etc/init.d are being executed, fine, but all them are running with insufficient privileges - under the selinux context of u:r:sysinit:s0
As a result I couldn't start sshd using that script:
Code:
12-27 12:10:58.848 2559 2559 I sysinit : Running /system/etc/init.d/99ssh
12-27 12:10:58.950 2562 2562 W start-ssh: type=1400 audit(0.0:9): avc: denied { getattr } for uid=0 path="/data/ssh/ssh_host_dsa_key" dev="mmcblk0p36" ino=198109 scontext=u:r:sysinit:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
12-27 12:11:01.100 2564 2564 W ssh-keygen: type=1400 audit(0.0:10): avc: denied { getattr } for uid=0 path="/data/ssh/ssh_host_dsa_key" dev="mmcblk0p36" ino=198109 scontext=u:r:sysinit:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
12-27 12:11:01.103 2564 2564 W ssh-keygen: type=1400 audit(0.0:11): avc: denied { write } for uid=0 name="ssh_host_dsa_key" dev="mmcblk0p36" ino=198109 scontext=u:r:sysinit:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
12-27 12:11:01.143 2743 2743 W chmod : type=1400 audit(0.0:12): avc: denied { getattr } for uid=0 path="/data/ssh/ssh_host_dsa_key" dev="mmcblk0p36" ino=198109 scontext=u:r:sysinit:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
12-27 12:11:01.186 2746 2746 W chmod : type=1400 audit(0.0:13): avc: denied { getattr } for uid=0 path="/data/ssh/ssh_host_dsa_key.pub" dev="mmcblk0p36" ino=197164 scontext=u:r:sysinit:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
12-27 12:11:01.190 2562 2562 W start-ssh: type=1400 audit(0.0:14): avc: denied { getattr } for uid=0 path="/data/ssh/ssh_host_rsa_key" dev="mmcblk0p36" ino=203831 scontext=u:r:sysinit:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
12-27 12:11:10.896 2749 2749 W ssh-keygen: type=1400 audit(0.0:15): avc: denied { getattr } for uid=0 path="/data/ssh/ssh_host_rsa_key" dev="mmcblk0p36" ino=203831 scontext=u:r:sysinit:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
12-27 12:11:10.896 2749 2749 W ssh-keygen: type=1400 audit(0.0:16): avc: denied { write } for uid=0 name="ssh_host_rsa_key" dev="mmcblk0p36" ino=203831 scontext=u:r:sysinit:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
12-27 12:11:10.950 2969 2969 W chmod : type=1400 audit(0.0:17): avc: denied { getattr } for uid=0 path="/data/ssh/ssh_host_rsa_key" dev="mmcblk0p36" ino=203831 scontext=u:r:sysinit:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
12-27 12:11:11.003 2972 2972 W chmod : type=1400 audit(0.0:18): avc: denied { getattr } for uid=0 path="/data/ssh/ssh_host_rsa_key.pub" dev="mmcblk0p36" ino=203640 scontext=u:r:sysinit:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
12-27 12:11:11.103 2979 2979 W sshd : type=1400 audit(0.0:19): avc: denied { setgid } for uid=0 capability=6 scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=capability permissive=0
12-27 12:11:11.116 2979 2979 W sshd : type=1400 audit(0.0:20): avc: denied { create } for uid=0 scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
12-27 12:11:11.116 2979 2979 W sshd : type=1400 audit(0.0:21): avc: denied { create } for uid=0 scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
12-27 12:11:11.120 2977 2977 I sshd : bad addr or host: <NULL> (No address associated with hostname)
12-27 12:11:11.121 2977 2977 I sshd : sshd terminated by exit(255)
Anyone has an idea, how to force init.d scripts to run as u:r:su:s0 ?
Thanks
Answering my own question, in case someone else would encounter this
It turned out, my LineageOS 14.1 already had init.d scripts working. However, it still was executed under a restricted selinux context u:r:sysinit:s0. To overcome that I had to recompile LineageOS from sources, where I could explicitly modify vendor/cm/prebuilt/common/etc/init.local.rc file and put there only one additional line seclabel u:r:sudaemon:s0 so it finaly looks like this:
Code:
..
.
# sysinit (/system/etc/init.d)
service sysinit /system/bin/sysinit
user root
group root
disabled
oneshot
seclabel u:r:sudaemon:s0
..
.
Now I can run commands in userinit.sh with the highest privileges
Thanks!
Hi everyone. The reason i make this thread is to ask for helping. If anybody willingly to build permissive mode kernel for A910F. Very appreciate. If there is somewhere exist, where to find it. I already try to make my own kernel for this model but ive failed at part build the zimage.img. i try to bash script "build_kernel.sh" but fail. I follow all tutorial 100% but still fail. Really appreciate if somebody want to help me
Not a permissive kernel, but in most use cases granting the required selinux permission in an enforcing kernel might be enough, in a terminal emulator use cat /proc/avc_msg or logcat -s audit
For example
type=1400 audit(...): avc: denied { execute } for pid=22889 comm="HwBinder:22882_" path=... dev="tmpfs" ino=... scontext=u:r:hal_audio_default:s0 tcontext=ubject_r:hal_audio_default_tmpfs:s0 tclass=file
In a terminal emulator,
/sbin/magiskpolicy --live "allow hal_audio_default hal_audio_default_tmpfs file execute"
The format is
/sbin/magiskpolicy --live "allow scontext tcontext tclass permission"
The permission "ioctl" uses allowxperm instead.
If it says not found then one of these
su -c /sbin/magiskpolicy
/sbin/supolicy
/system/xbin/supolicy
/su/xbin/supolicy
/su/bin/supolicy
/su/xbin_bind/supolicy
/system/bin/supolicy
/system/bin/magiskpolicy
supolicy
If if says permission denied type su first.
Restart the software that required the permission, and the software that it requires, should revert after restarting the device.
I see this message in logs a couple of times each second...
Access denied finding property "vendor.debug.egl.swapinterval"
Followed by:
type=1400 audit(0.0:58203): avc: denied { read } for name="ubject_r:vendor_default_prop:s0" dev="tmpfs" ino=19023 scontext=u:r:untrusted_app:s0:c169,c256,c512,c768 tcontext=ubject_r:vendor_default_prop:s0 tclass=file permissive=0
Seems OP has removed something, but the system still tries to access it...