Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / docs / source.android.com / 49fb6ce485f4d573cd180ce75e9115e314b1a42b^! / .
commit49fb6ce485f4d573cd180ce75e9115e314b1a42b[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Thu Feb 12 12:48:25 2015 -0500
committerStephen Smalley <sds@tycho.nsa.gov>Fri Feb 13 11:56:25 2015 -0500
tree7ce25dd6eb8c2d7d9c0b845ddf013e13d8d11585
parentffe4c7076674b7f4042581035b91a79eba0d6c3c [diff]
SELinux validate:  Improve documentation.

When grep'ing for denials, look for avc:, not AVC.
Explain usage of newer audit2allow versions.

Change-Id: Idd6d9b448314fc147e0d3c89aed9d3025fced99f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/src/devices/tech/security/selinux/validate.jd b/src/devices/tech/security/selinux/validate.jd
index 2734665..34199f5 100644
--- a/src/devices/tech/security/selinux/validate.jd
+++ b/src/devices/tech/security/selinux/validate.jd

@@ -41,7 +41,7 @@
 <p>Then check for errors. Errors are routed as event logs to dmesg and <code>logcat</code> and are viewable locally on the device. Manufacturers should examine the
 SELinux output to dmesg on these devices and refine settings prior to public
 release in permissive mode and eventual switch to enforcing mode. SELinux log
-messages contain "AVC" and so may easily be found with <code>grep</code>. It is
+messages contain "avc:" and so may easily be found with <code>grep</code>. It is
 possible to capture the ongoing denial logs by running <code>cat /proc/kmsg</code>
 or to capture denial logs from the previous boot by running cat <code>/proc/last_kmsg</code>.</p>
 
@@ -53,7 +53,7 @@
 enforcing mode and why. Here is an example:</p>
 
 <pre>
-denied  { connectto } for  pid=2671 comm="ping" path="/dev/socket/dnsproxyd"
+avc: denied  { connectto } for  pid=2671 comm="ping" path="/dev/socket/dnsproxyd"
 scontext=u:r:shell:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket
 </pre>
 
@@ -121,12 +121,18 @@
 $ sudo apt-get install policycoreutils
 </pre>
 
-<p>To use it:</p>
+<p>To use it on Ubuntu 12.04, run:</p>
 
 <pre>
 $ adb shell su -c dmesg | audit2allow
 </pre>
 
+<p>On Ubuntu 14.04 and newer, audit2allow requires you to specify the Android policy
+using the -p option, e.g.
+<pre>
+$ adb shell su -c dmesg | audit2allow -p out/target/product/&lt;device&gt;/root/sepolicy
+</pre>
+
 <p>Nevertheless, care must be taken to examine each potential addition for
 overreaching permissions. For example, feeding audit2allow the <code>rmt_storage</code> denial shown earlier results in the following suggested SELinux policy
 statement:</p>