[SOLVED] Disabling selinux in voodik's Android 10

Post Reply
mad_ady
Posts: 9090
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, C4, N1, N2, H2, Go, Go Advance
Location: Bucharest, Romania
Has thanked: 597 times
Been thanked: 584 times
Contact:

[SOLVED] Disabling selinux in voodik's Android 10

Post by mad_ady »

Hello all,

I'm running my N2 with voodik's Android 10 and on top I'm running Linux through Linux Deploy (in a chroot). In this linux I'm running an XFCE desktop that I can use via xpra from a remote system. I'm trying to add printing support through it through cups (with a remote, network printer). In theory, it should all work, but in practice, it fails miserably, and after a couple of weeks of head-banging against the wall, I'm starting to suspect Android may be at play. Here is a more detailed description of the problem: https://serverfault.com/questions/10438 ... ter-is-not

When I have a running print job, each 30s it tries to send it to the network printer for printing. If I listen with tcpdump on the cups server, I get no traffic from the android IP when it's trying to print:

Code: Select all

D [25/Nov/2020:10:12:01 +0200] [Job 8] Connecting to 192.168.1.13:631
D [25/Nov/2020:10:12:01 +0200] [Job 8] Connecting to printer.
D [25/Nov/2020:10:12:01 +0200] [Job 8] Connection error: Permission denied
E [25/Nov/2020:10:12:01 +0200] [Job 8] The printer is not responding.
D [25/Nov/2020:10:12:31 +0200] [Job 8] Connecting to 192.168.1.13:631
D [25/Nov/2020:10:12:31 +0200] [Job 8] Connecting to printer.
D [25/Nov/2020:10:12:31 +0200] [Job 8] Connection error: Permission denied
E [25/Nov/2020:10:12:31 +0200] [Job 8] The printer is not responding.
So, I was looking at adb logcat, to see if it correlates to other android events, and it does:

Code: Select all

11-25 10:28:29.179  2980  3091 W Netd    : No subsystem found in netlink event
11-25 10:28:31.012 20789 20789 I printers.cgi: type=1400 audit(0.0:785): avc: denied { ioctl } for path="socket:[151451]" dev="sockfs" ino=151451 ioctlcmd=0x8933 scontext=u:r:magisk:s0 tcontext=u:r:magisk:s0 tclass=unix_dgram_socket permissive=1
It correlates with he printes.cgi message, which to me indicates that cups is trying to create a (file based?) socket, but selinux? denies it. The linux root filesystem lives in a loop-mounted file for what it's worth.

I'd like to find out:
1. How can I tell if selinux is enabled in this android version
2. If it is, can I disable it? What happens if I do?
3. If I can't disable it, could I allow the socket creation? What would I need to know (presumably the path?). How would I do that?

I'm still a selinux noob, but I know a bit about it under linux. I'm not familiar with the tools used to control it in android, through...

Thanks

User avatar
joerg
Posts: 1257
Joined: Tue Apr 01, 2014 2:14 am
languages_spoken: german, english, español
ODROIDs: C1, C1+, C2, N1, N2, C4
Location: Germany
Has thanked: 80 times
Been thanked: 164 times
Contact:

Re: Disabling selinux in voodik's Android 10

Post by joerg »

As far as I know selinux is permissive, so this avc:denied you don't need to care about.
Check with getenforce at adb shell.

mad_ady
Posts: 9090
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, C4, N1, N2, H2, Go, Go Advance
Location: Bucharest, Romania
Has thanked: 597 times
Been thanked: 584 times
Contact:

Re: Disabling selinux in voodik's Android 10

Post by mad_ady »

You're right, it's permissive:

Code: Select all

root@odroidn2:/ # getenforce                                                   
Permissive
No idea where to go from here...

OverSoft
Posts: 56
Joined: Wed Feb 01, 2017 5:34 pm
languages_spoken: english
ODROIDs: C2, XU4, N2, N2+
Has thanked: 4 times
Been thanked: 12 times
Contact:

Re: Disabling selinux in voodik's Android 10

Post by OverSoft »

Your problem is not with SElinux, but with something else (probably Android permissions).

mad_ady
Posts: 9090
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, C4, N1, N2, H2, Go, Go Advance
Location: Bucharest, Romania
Has thanked: 597 times
Been thanked: 584 times
Contact:

Re: Disabling selinux in voodik's Android 10

Post by mad_ady »

The thing is - the linux root filesystem lives in an loop mounted image file... It shouldn't interfere with android...

User avatar
tobetter
Posts: 7171
Joined: Mon Feb 25, 2013 10:55 am
languages_spoken: Korean, English
ODROIDs: Many
Location: Paju, South Korea
Has thanked: 384 times
Been thanked: 1052 times
Contact:

Re: Disabling selinux in voodik's Android 10

Post by tobetter »

mad_ady wrote:
Thu Nov 26, 2020 10:46 pm
The thing is - the linux root filesystem lives in an loop mounted image file... It shouldn't interfere with android...
Does your Linux container have privilieged /dev and /sys directory?
These users thanked the author tobetter for the post:
mad_ady (Fri Nov 27, 2020 6:38 pm)

mad_ady
Posts: 9090
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, C4, N1, N2, H2, Go, Go Advance
Location: Bucharest, Romania
Has thanked: 597 times
Been thanked: 584 times
Contact:

Re: Disabling selinux in voodik's Android 10

Post by mad_ady »

I'm not sure if they are privileged or not...
From within Linux deploy I was mounting / to /android and /sdcard to /sdcard.
This is how the mount table looks like from within linux:

Code: Select all

adrianp@bellatrix-n2:~$ mount
/dev/block/loop0 on / type ext4 (rw,relatime,seclabel,data=ordered)
proc on /proc type proc (rw,relatime,gid=3009,hidepid=2)
sys on /sys type sysfs (rw,relatime,seclabel)
tmpfs on /dev type tmpfs (rw,nosuid,relatime,seclabel,mode=755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,relatime,seclabel)
devpts on /dev/pts type devpts (rw,relatime,seclabel,mode=600,ptmxmode=000)
/data/media on /sdcard type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7,derive_gid,default_normal)
/dev/block/system on /android type ext4 (ro,nodev,relatime,seclabel,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/etc/auto.sshfs on /media/sshfs type autofs (rw,relatime,fd=7,pgrp=7406,timeout=20,minproto=5,maxproto=5,indirect)
cgroup on /sys/fs/cgroup type tmpfs (rw,relatime,seclabel,mode=755)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,relatime,cpuset,noprefix,release_agent=/sbin/cpuset_release_agent)
cgroup on /sys/fs/cgroup/cpu type cgroup (rw,relatime,cpu)
cgroup on /sys/fs/cgroup/cpuacct type cgroup (rw,relatime,cpuacct)
cgroup on /sys/fs/cgroup/schedtune type cgroup (rw,relatime,schedtune)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,relatime,freezer)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,relatime,pids)
cgroup on /sys/fs/cgroup/debug type cgroup (rw,relatime,debug)
But it looks like this from the Android side:

Code: Select all

root@odroidn2:/ # mount  | grep -v .magisk | grep -v fuse.rclone                                                                                                                                                                 
tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,mode=755)
devpts on /dev/pts type devpts (rw,seclabel,relatime,mode=600,ptmxmode=000)
proc on /proc type proc (rw,relatime,gid=3009,hidepid=2)
sysfs on /sys type sysfs (rw,seclabel,relatime)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
tmpfs on /mnt type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,mode=755,gid=1000)
tmpfs on /apex type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,mode=755)
/dev/block/vendor on /vendor type ext4 (ro,seclabel,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/dev/block/system on / type ext4 (ro,seclabel,nodev,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/dev/block/odm on /odm type vfat (rw,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
tmpfs on /sbin type tmpfs (rw,seclabel,relatime,mode=755)
none on /dev/cg2_bpf type cgroup2 (rw,nosuid,nodev,noexec,relatime)
none on /dev/cpuctl type cgroup (rw,nosuid,nodev,noexec,relatime,cpu)
none on /acct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct)
none on /dev/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset,noprefix,release_agent=/sbin/cpuset_release_agent)
none on /dev/memcg type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
none on /dev/stune type cgroup (rw,nosuid,nodev,noexec,relatime,schedtune)
/dev/block/system on /apex/com.android.tzdata@290000000 type ext4 (ro,seclabel,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/dev/block/system on /apex/com.android.tzdata type ext4 (ro,seclabel,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/dev/block/system on /apex/com.android.runtime@1 type ext4 (ro,seclabel,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/dev/block/system on /apex/com.android.runtime type ext4 (ro,seclabel,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/sys/kernel/debug on /sys/kernel/debug type debugfs (rw,seclabel,relatime,mode=755)
configfs on /sys/kernel/config type configfs (rw,relatime)
none on /config type configfs (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime)
pstore on /sys/fs/pstore type pstore (rw,seclabel,nosuid,nodev,noexec,relatime)
tracefs on /sys/kernel/debug/tracing type tracefs (rw,seclabel,relatime)
/dev/block/data on /data type ext4 (rw,seclabel,nosuid,nodev,noatime,nodelalloc,resgid=1065,errors=panic,data=ordered)
/dev/block/cache on /cache type ext4 (rw,seclabel,nosuid,nodev,noatime,data=ordered)
/dev/block/param on /mnt/vendor/param type ext4 (rw,seclabel,nosuid,nodev,noatime,nodelalloc,errors=panic,data=ordered)
tmpfs on /storage type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,mode=755,gid=1000)
/dev/block/system on /apex/com.android.conscrypt@299900000 type ext4 (ro,seclabel,nodev,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/dev/block/system on /apex/com.android.conscrypt type ext4 (ro,seclabel,nodev,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/dev/block/system on /apex/com.android.media@290000000 type ext4 (ro,seclabel,nodev,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/dev/block/system on /apex/com.android.media type ext4 (ro,seclabel,nodev,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/dev/block/system on /apex/com.android.media.swcodec@290000000 type ext4 (ro,seclabel,nodev,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/dev/block/system on /apex/com.android.media.swcodec type ext4 (ro,seclabel,nodev,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/dev/block/system on /apex/com.android.resolv@290000000 type ext4 (ro,seclabel,nodev,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
/dev/block/system on /apex/com.android.resolv type ext4 (ro,seclabel,nodev,relatime,block_validity,delalloc,barrier,user_xattr,acl,inode_readahead_blks=8)
tmpfs on /system/bin type tmpfs (rw,seclabel,relatime)
adb on /dev/usb-ffs/adb type functionfs (rw,relatime)
mtp on /dev/usb-ffs/mtp type functionfs (rw,relatime)
ptp on /dev/usb-ffs/ptp type functionfs (rw,relatime)
/dev/block/data on /data/app/com.google.android.youtube-WqeeAn6DkEx9nZuOps1aKg==/base.apk type ext4 (rw,seclabel,nosuid,nodev,noatime,nodelalloc,resgid=1065,errors=panic,data=ordered)
/data/media on /mnt/runtime/default/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid,default_normal)
/data/media on /storage/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid,default_normal)
/data/media on /mnt/runtime/read/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=23,derive_gid,default_normal)
/data/media on /mnt/runtime/write/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7,derive_gid,default_normal)
/data/media on /mnt/runtime/full/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7,derive_gid,default_normal)
tmpfs on /mnt/runtime/default/emulated/0/Music type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,mode=755,gid=1000)
tmpfs on /storage/emulated/0/Music type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,mode=755,gid=1000)
tmpfs on /mnt/runtime/read/emulated/0/Music type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,mode=755,gid=1000)
tmpfs on /mnt/runtime/write/emulated/0/Music type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,mode=755,gid=1000)
tmpfs on /mnt/runtime/full/emulated/0/Music type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,mode=755,gid=1000)
It's funny that I can't see the linux mounts in android - probably because Linux Deploy creates a new mount namespace...
I'll try to map /sys and /dev directly from Linux Deploy and report back. I'll throw in /proc for good measure...

User avatar
tobetter
Posts: 7171
Joined: Mon Feb 25, 2013 10:55 am
languages_spoken: Korean, English
ODROIDs: Many
Location: Paju, South Korea
Has thanked: 384 times
Been thanked: 1052 times
Contact:

Re: Disabling selinux in voodik's Android 10

Post by tobetter »

@mad_ady, just in case...I also doubt this kernel option CONFIG_ANDROID_PARANOID_NETWORK in Android kernel.
If you are able to ping from your PC to Android 10 and Linux container, but not able to ping from the container to out of Android.

mad_ady
Posts: 9090
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, C4, N1, N2, H2, Go, Go Advance
Location: Bucharest, Romania
Has thanked: 597 times
Been thanked: 584 times
Contact:

Re: Disabling selinux in voodik's Android 10

Post by mad_ady »

No issues with networking. The linux chroot is using host-based networking (e.g. there is only one network stack).

mad_ady
Posts: 9090
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, C4, N1, N2, H2, Go, Go Advance
Location: Bucharest, Romania
Has thanked: 597 times
Been thanked: 584 times
Contact:

Re: [SOLVED] Disabling selinux in voodik's Android 10

Post by mad_ady »

Santa has brought me an idea on how to bypass this issue and be able to print from Linux under Android on my N2! Thanks Santa!

The plan was to bypass the local cups server on the N2 (Linux) and use cups-client to connect directly to my C2 which has the printer directly connected and runs cups as well. I needed to create a /etc/cups/client.conf file with this contents:

Code: Select all

AllowAnyRoot Yes
AllowExpiredCerts Yes
Encryption IfRequested
ServerName 192.168.1.13:631
192.168.1.13 is my cups server.
After a reboot it worked!
These users thanked the author mad_ady for the post:
joerg (Thu Dec 24, 2020 11:40 pm)

Post Reply

Return to “Android”

Who is online

Users browsing this forum: Richard Schaefer and 0 guests