4

I have an app that starts a native application and communicates with it using unix domain sockets. The app works fine on a NON-Rooted device.

The problem is when I start the native application as root. The native application runs fine and is waiting for messages from the app. The app then tries to send a message to the native application using the unix domain socket. The app is using JNI to call "sendto"; but SELinux is blocking sendto calls from my app.

This is the logs written when i try to call "sendto" blocked.

type=1400 audit(0.0:27806): avc: denied { sendto } for uid=10220 comm=4173796E635461736B202331 path=0044726F696456504E456E67696E65536F636B6574 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:init:s0 tclass=unix_dgram_socket permissive=0

The only thing that makes it work again is if I disable selinux (eg: setenforce 0)

Is there any other way to fix this? Like an semanage command so that I wont have to fully disable SELinux and only allow what my app needs and that is to just use unix domain sockets?

Nir Duan
  • 6,164
  • 4
  • 24
  • 38
kuchi
  • 840
  • 11
  • 19
  • interesting that from what I understand the user permissions and selinux policies are separate parallel security mechanisms, wonder why it is impacting you that way. Nevertheless, I think that what you really should do is write write sepolicy file for your app to have permissions to use that domain socket. It is configuring them properly what needs to be done. – niralittle Apr 16 '18 at 14:06
  • 1
    How do you write sepolicy file for your app? Ive read that on the documentation before but never really found any example on how to do it. What I did was a dirty hack and used the supolicy tool that comes with superuser to add my own policies. The problem with that is the supolicy tool is not always guaranteed to be installed on their phone since they could use a different app than superuser to manage root access. – kuchi Apr 17 '18 at 18:29

0 Answers0