Skip to content

selinux-policy/adbd: resolve SELinux denials for adb file operations and shell interactions#1034

Closed
abhilash-manna wants to merge 1 commit into
openembedded:masterfrom
abhilash-manna:adbFix
Closed

selinux-policy/adbd: resolve SELinux denials for adb file operations and shell interactions#1034
abhilash-manna wants to merge 1 commit into
openembedded:masterfrom
abhilash-manna:adbFix

Conversation

@abhilash-manna

Copy link
Copy Markdown

Problem :

This change addresses several SELinux denials encountered when using adb for file transfers (push/pull) and interactive shell sessions.

avc: denied { read open getattr } for pid=1089 comm=73796E6320737663203138 path="/denials.txt"
scontext=system_u:system_r:adbd_t:s0
tcontext=system_u:object_r:etc_runtime_t:s0
tclass=file

avc: denied { write } for pid=1089 comm=73796E6320737663203138 name="denials.txt"
scontext=system_u:system_r:adbd_t:s0
tcontext=system_u:object_r:etc_runtime_t:s0
tclass=file

avc: denied { use } for pid=3062 comm="semodule" path="/dev/pts/0" dev="devpts"
scontext=system_u:system_r:semanage_t:s0
tcontext=system_u:system_r:adbd_t:s0
tclass=fd

Fix :

  1. Fix adb pull/push operations: The adbd daemon (running as adbd_t) requires read, write, open, and getattr permissions to handle files labeled as etc_runtime_t.

  2. Fix interactive shell execution (adb shell): When executing commands like semodule via adb shell, the semanage_t domain attempts to use the pseudo-terminal (PTY) file descriptors (/dev/pts/0) created by adbd_t.

- Fix adb pull/push operations.
- Fix interactive shell execution.

Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com>
@abhilash-manna abhilash-manna marked this pull request as draft March 27, 2026 11:17
@kraj

kraj commented Mar 29, 2026

Copy link
Copy Markdown
Contributor

LGTM, applied with 801addc to master.

@kraj kraj closed this Mar 29, 2026
GargiQcom pushed a commit to GargiQcom/meta-openembedded that referenced this pull request Mar 30, 2026
Upgrade to release 1.9.0:

- 1.9.0
  - Remove Python 3.8 support (EOL), add Python 3.13 (5f25030)
  - Remove localhost and 127.0.0.1 from default NO_PROXY list (openembedded#994)
  - Support IPv6 CIDRs in the no_proxy option (openembedded#1033)
  - Fix thread safety condition in `teardown()` to improve `run_forever()` (openembedded#1015)
  - Fix openembedded#1024 by chunking data, recursion in on_error callback, thread leak in `_stop_ping_thread()`, avoid implicit None in `recv()` (openembedded#1036)
  - Avoid bare except clauses for better error handling (openembedded#1036)
  - Fix async (openembedded#983)
  - Resolve mypy type errors (openembedded#996, openembedded#1006, 813d570)
  - Test coverage improvements (openembedded#1035, openembedded#1036)
  - flake8 linting improvements (openembedded#1034)

- 1.8.0
  - Added `on_reconnect` parameter to WebSocketApp to handle callback ambiguity (openembedded#972)
  - Improve handling of SSLEOFError and use reconnect bool (openembedded#961)
  - Minor linting and docs CI build upgrades (981c00e, 75ba91a, bec2608)

License-Update: copyright years refreshed

Signed-off-by: Ryan Eatmon <reatmon@ti.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants