How to get rid of SeLinux Denials in Permissive mode?

Question

Need some help with 3 issues:

In Permissive mode I get denials, why does this happen and how do I fix that?
If I am enforced, how do I give access to my Partitions to various processes. Right now I am permissive but in case I want to switch over as enforced what do I do in enforced mode to ensure that Apps and processes have full access to all my partitions on micro SD card?
How do I ensure that I have permissive mode at the time after boot? I am using seLinux changer app which changes the mode to permissive after boot, I am assuming.

Backdrop

I am on Android 9 Pie. Rooted with a Custom ROM via Magisk (v20 which is the latest).

I have 3 partitions on my MicroSD card, all ext4. First partition is to store the external data. Second partition is for app2sd or application data linking. And third partition is for WhatsApp.

But I have a problem which mysteriously keeps popping up; for a very brief time it disappears and then it is again back.
The issue is when I link the WhatsApp folder in my internal storage to the third partition, it stops working and I am not able to download any images. When I try and access internal folders that are linked to my external partition on micro SD card through ADB and non-rooted prompt, it says Access denied. If after linking I have to access any file on my internal storage or external storage through a non root user, I have to copy it in /data/local/tmp and chmod it.

So after running a dmesg via su prompt, I keep getting this kind of information and I am totally confused as to how I keep getting rejects even when I am in permissive mode:

[64108.645494] type=1400 audit(1571547099.201:11658): avc: denied { call } for pid=1301 comm="pool-1-thread-1" scontext=u:r:untrusted_app:s0:c2,c257,c512,c768 tcontext=u:r:hal_memtrack_default:s0 tclass=binder permissive=1
[64108.645560] type=1400 audit(1571547144.071:11659): avc: denied { open } for pid=23335 comm="om.mobikwik_new" path="/proc/vmstat" dev="proc" ino=4026532137 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:proc_vmstat:s0 tclass=file permissive=1
[62276.620621] type=1400 audit(1571545312.043:11584): avc: denied { read } for pid=8534 comm="webview_zygote" name="fonts.xml" dev="mmcblk0p66" ino=1968042 scontext=u:r:webview_zygote:s0 tcontext=u:object_r:theme_data_file:s0 tclass=file permissive=1
[61774.878054] type=1400 audit(1571544810.294:11570): avc: denied { call } for pid=1301 comm="pool-1-thread-1" scontext=u:r:untrusted_app:s0:c2,c257,c512,c768 tcontext=u:r:hal_memtrack_default:s0 tclass=binder permissive=1
[61770.686186] type=1400 audit(1571544806.104:11569): avc: denied { getattr } for pid=12417 comm=4173796E635461736B202334 path="/data/sdext2/data/com.google.android.googlequicksearchbox/cache" dev="mmcblk1p2" ino=413617 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
[59854.882802] type=1400 audit(1571542825.956:11523): avc: denied { call } for pid=13288 comm="GoogleLocationS" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:hal_memtrack_default:s0 tclass=binder permissive=1
[58684.872549] type=1400 audit(1571541715.916:11505): avc: denied { getattr } for pid=4379 comm="Binder:4379_3" path="/storage/6226b27a-ebc1-4fdd-b54c-096abc40c2b9" dev="tmpfs" ino=52150 scontext=u:r:untrusted_app:s0:c241,c256,c512,c768 tcontext=u:object_r:storage_stub_file:s0 tclass=dir permissive=1
[58416.978554] type=1400 audit(1571541430.215:11458): avc: denied { open } for pid=31520 comm="CallMonitors-1" path="/proc/stat" dev="proc" ino=4026532088 scontext=u:r:untrusted_app:s0:c18,c257,c512,c768 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=1

What I did:

Tried to use the script approach with setenforce 0 under init.d dir. Hopelessly works only in <5.0.
Tried to remount partitions as R/W.

Thank You Irfan but if I'm in permissive there shouldn't be any pern issues. why the denials after i dm in permissive mode — user1874594, Oct 20 '19 at 17:13
ok thx very useful framework to think long but I need some more meat between those points any idea where I can read up & how these are customised and configured — user1874594, Oct 20 '19 at 17:53
ownership will vary depending on who is writing to the card it should be made available to all users magisk is running in in global namespace .selinux is permissive — user1874594, Oct 20 '19 at 18:09
To understand ownership, must read: https://android.stackexchange.com/a/210159/218526. Other helpful sources: https://en.wikipedia.org/wiki/File_system_permissions#Traditional_Unix_permissions and https://android.stackexchange.com/a/208982/218526 and https://source.android.com/devices/tech/config/filesystem. If you state clearly, step by step, how you mounted the partition, what are the ownership and permission modes and SELinux context of the mount point and inside files, I can try to answer your question directly. — Irfan Latif, Oct 20 '19 at 18:16
heyya thx gain... specifically I was asking about AvC denied errors that I put up in the above log snippet. if I have Selinux running in permissive mode then what are these errors coming from ? i guess that was one of the things I was trying to figure out and still haven't gotten a a faint clue 'bout.... — user1874594, Oct 21 '19 at 04:51
avc denied cannot be just an f y i m message. there is some actual denial going on and I was asking, if it's in permissive mode.... then what is causing so many denials when nothing in my phone has changed and this is intermittent...it ll stay on for a good amount of time and then goes away on its own to , reappear again — user1874594, Oct 21 '19 at 09:20
sure it is permissive? selinux changer app only work for kernel which supports that. btw WhatsApp should be bind mounted, sdcardfs does ignore symlinks — alecxs, Oct 21 '19 at 09:41
@user1874594 that's how SELinux works. Android's official documentation says: *“SELinux can operate in two global modes: Permissive mode, in which permission denials are logged but not enforced. Enforcing mode, in which permissions denials are both logged and enforced. ”* And you can read SELinux documentation where ever you want, the principle remains same. I can't say much if SELinux is enforcing in permissive mode only on your device. You can modify sepolicy to get rid of denial messages but that won't solve your problem for sure. — Irfan Latif, Oct 21 '19 at 11:24
127|root@android:(unreachable) # getenforce Permissive root@android:(unreachable) # — user1874594, Oct 21 '19 at 19:06
yes of course it is bind mounted all the folders that I am linking somewhere else from internal storage our bind mounted only for the WhatsApp folder I am not able to download the images when I have the linking on and as soon as it refuses to download the image I go look at dmesg this avc denied message which makes me think this is connected with selinux it is a assumption based on on this strong correlation. 1 thing WhatsApp partition's mounted under /storage there are 3 partitions under storage the log message tells me that it mounted SDcardFs on so and so partition — user1874594, Oct 21 '19 at 19:14
is there a concept that at boot time there are certain rules that are enforced and even after it changes post boot from enforcing to permissive the rules previously en forced are still applicable — user1874594, Oct 21 '19 at 19:19
As I mentioned in previous comment: If you state clearly, step by step, how you mounted the partition, what are the 1. ownership 2. permission modes and 3. SELinux context of the mount point and inside files, I can try to answer your question directly. If you keep on repeating the same thing, not listening to what others say, no one will be able to help you. Sorry. — Irfan Latif, Oct 22 '19 at 09:23
heyya ok ... fine sure wasnt clear what exactly you are getting at now you articulated it very well I will revert back to you with all the info. Thank You — user1874594, Oct 23 '19 at 03:29

How to get rid of SeLinux Denials in Permissive mode?

0 Answers0