Question

A security analyst is validating the Mac policy on a set of android devices. The policy was written to ensure non-critical applications are unable to access certain resources. When reviewing dmesg, Dallas notes many inches is such as:

Avc: defined { open } for pid=1018 comm=”irc” path=”/dev/if0” dev=”tmpfs” scontext=u:r:irc:sc:s0 tcontext=u:objective_r:default:s0tclass=chr_file permissive=1

Despite the deny message, this action was still permitted. Which of the following is the most likely fix for this issue?

1. add the objects of concern to default context

2. set the devices to enforcing mode

3. create separate domain and context file

4. Rebuild the sepolicy, reinstall, and test

Answer 1

Initally when a subject eg. a Process make a request to an object( a file) kernel looks into AVC ( Access vector cache).In case the data in the Avc is not able to suggest any decision then the Request is then sent to Security server which then displays denied or grant permission based on the installed policy.Now SElinux (Security enhanced Architecture) runs in permissive mode where denials are not applied but only logged.It is important from the perspective that it assures that policy may not delay other early device bringup tasks.Permissible mode is suitable for troubleshooting and debugging . In permissive mode, majority of the denials are logged and not applied as subjects can continue with actions that are denied by the policy but are denied in the enforced mode.For example, traversing a directory tree in permissive mode produces avc: denied messages for every directory level read.. In enforcing mode, SELinux would have stopped the initial traversal and kept further denial messages from occurring.In this case also the same thing is happening inspite of denials policy the action was allowed.

Hence In Enforcing mode denials are both logged and enforced.The likely fix is to set the devices to enforcing mode

After then the bugs are analysed and if the need arises the objects of concern are added to default context.Separate domains are created and the sepolicy is rebuild and reinstalled and tested.

In order to put your device into enforcing mode you ned to use  SELinux Switch app, it is easier to toggle between Enforcing and Permissive SELinux modes.