not working with samsing devices running SELINUX set to enforcing

[calisro]

My device is rooted and knox is disabled but its a stock rom running SELINUX in enforcing mode (Samsung Galaxy S5). The issue is that the post up scripts do not get run. They fail with an error 127 regardless of what is in them. This is selinux preventing it. I tried with and without your variable for command interpretor. Didn't make a difference. I can get tinc working by running those scripts after the fact so I know everything is set up properly.

[calisro]

I found that is I copy the tincd binary to the /system folder rather than in /data, the binary works perfectly again and csn execute all scripts. Obviously the gui doesn't work anymore.... but at least I can script it to start and stop now....

[luckyhacky]

I think this is a limitation of the security feature "SE Linux".
SuperUser binaries can only be executed in /system directory but we can't copy it to this location in an automatic way. This would make this security feature useless.
You can either define an SE linux rule or you can copy tincd to /system and change the path in the android app.

[calisro]

Do we have the ability to change the path in the tinc_gui? If not, then it
might be good to have the ability as an enhancement. It also might be good
to have a mechanism to copy the file to /system. All you need to do that
is super user anyway. Thats how i did it.
On Oct 29, 2014 5:26 PM, "B. S." [email protected] wrote:

I think this is a limitation of the security feature "SE Linux".
SuperUser binaries can only be executed in /system directory but we can't
copy it to this location in an automatic way. This would make this security
feature useless.
You can either define an SE linux rule or you can copy tincd to /system
and change the path in the android app.

Reply to this email directly or view it on GitHub
#28 (comment).

[luckyhacky]

Only option would be to copy tincd binary to /system.
I think it is no good option to let the user select an binary because then he can choose a wrong file where we have lots of bug reports and bad repution on google play.

If you like to have a custom path, you can compile tinc_gui on your own.

[calisro]

While i understand what your saying, it renders the gui unusable for anyone
on a enforcing selinux rom which is the future of your google play users.
Regardless. i've scripted this myself for now.
On Oct 30, 2014 2:16 PM, "B. S." [email protected] wrote:

Only option would be to copy tincd binary to /system.
I think it is no good option to let the user select an binary because then
he can choose a wrong file where we have lots of bug reports and bad
repution on google play.

If you like to have a custom path, you can compile tinc_gui on your own.

Reply to this email directly or view it on GitHub
#28 (comment).

[Vilbrekin]

Indeed, we might consider adding the hability to install into /system.

[luckyhacky]

@calisro can u check the original version of Vilbrekin and execute this:
su --context u:r:untrusted_app:s0

see http://cygery.com/wordpress/2014/06/29/android-l-selinux-root-apps/

Maybe we can set the correct context of the tincd binary?!

[calisro]

That command executes and does do something. Its hard to test anything in
that shell because after executing it, i cant get to my /sdcard or /data or
anywhere else. Let me know if there is something in particular I can
check?
On Nov 19, 2014 6:11 PM, "B. S." [email protected] wrote:

@calisro https://github.com/calisro can u check the original version of
Vilbrekin and execute this:
su --context u:r:untrusted_app:s0

see http://cygery.com/wordpress/2014/06/29/android-l-selinux-root-apps/

Maybe we can set the correct context of the tincd binary?!

Reply to this email directly or view it on GitHub
#28 (comment).

[luckyhacky]

Did some further investigations:
you have to compile tinc with the --pie switch
see Application.mk -> APP_PIE = true
This is only for android > 4.1

If you change tincd to another file context, e.g.
chcon u:object_r:system_file:s0 tincd
You can start tincd, but i will fail with "bad file number" error. This is caused by SElinux security environement.
I changed the android firewall but the error still exist.

@calisro try changing system context with chcon command or try executing su --context u:r:object_r:system_file:s0 /path/to/tinc/tincd -D -d2 -c /path/to/cfg

[calisro]

I tried with a few different contexts but still failed witth the same
error when trying to execute the up scripts.
On Nov 21, 2014 5:58 PM, "B. S." [email protected] wrote:

Did some further investigations:
you have to compile tinc with the --pie switch
see Application.mk -> APP_PIE = true
This is only for android > 4.1

If you change tincd to another file context, e.g.
chcon u:object_r:system_file:s0 tincd
You can start tincd, but i will fail with "bad file number" error. This is
caused by SElinux security environement.
I changed the android firewall but the error still exist.

@calisro https://github.com/calisro try changing system context with
chcon command or try executing su --context u:r:object_r:system_file:s0
/path/to/tinc/tincd -D -d2 -c /path/to/cfg

Reply to this email directly or view it on GitHub
#28 (comment).

[Vilbrekin]

Thanks for your inputs. I'll deliver next version with PIE enabled, limited to 4.1+ devices.
Will be done using #26.

[luckyhacky]

Sorry for late reply.
Tested it with Android 5.0 and commit bb562d8 .
There is one issue. A space is missing after "-c" option. After that change it is working for me. Otherwise shell is complaining about unknown option -c'

TincdService.this.run("sh -c'umask 022; id; exec " + getFileStreamPath(TINCBIN) + " -D -d" + _debugLvl + " -c " + _configPath + " --pidfile=" + getFileStreamPath(PIDFILE) + "'", TincdService.this);

Should be:
TincdService.this.run("sh -c 'umask 022; id; exec " + getFileStreamPath(TINCBIN) + " -D -d" + _debugLvl + " -c " + _configPath + " --pidfile=" + getFileStreamPath(PIDFILE) + "'", TincdService.this);

maybe you can correct this and merge it back to master (ndk studio should be developed in a separate branch :P )

[Vilbrekin]

Already fixed it in latest commit: https://github.com/Vilbrekin/tinc_gui/blob/lollipop/app/src/main/java/org/poirsouille/tinc_gui/TincdService.java#L210
This matches the release 0.9.12.

[alteist]

I've stuck with same 127 error on S4, but copying tincd binary to /system and symlinking it back for GUI worked for me. Try:

su
cp /data/data/org.poirsouille.tinc_gui/files/tincd /system/bin/tincd
mv /data/data/org.poirsouille.tinc_gui/files/tincd /data/data/org.poirsouille.tinc_gui/files/tincd.orig
ln -s /system/bin/tincd /data/data/org.poirsouille.tinc_gui/files/tincd

I think authors could include this trick via special button (e.g. "install tincd binary to system") to workaround issue.