Contents Previous Next

Addressing Hidden Denials

If you encounter permission denials while in enforcing mode but do not see any avc: denied messages in the dmesg or logcat output, then you may need to install a modified policy with dontaudit rules stripped in order to find the underlying cause. The dontaudit rules are normally present to avoid noise in the audit logs from harmless application probing or permission tests used to select a different code path rather than being required for operation. To install and load the policy with dontaudit rules removed, do the following:

cd out/target/product/device/obj/ETC/sepolicy_intermediates
adb push sepolicy.dontaudit /data/local/tmp
adb shell
su
load_policy /data/local/tmp/sepolicy.dontaudit

Then re-test the operation that was failing and collect the avc: denied messages from dmesg. Be careful to not blindly allow all such permissions as many of them will be unnecessary and not directly relevant to the operation that was failing. When you are finished testing, revert to the original policy as follows:

adb shell
su
load_policy /sepolicy

Contents Previous Next