SELinux Policy, AVC Denials & audit2allow in AOSP
How SELinux enforcement works in Android - from policy rules to AVC denials and using audit2allow to debug them
1 min readWhat is SELinux Policy?
SELinux (Security-Enhanced Linux) enforces Mandatory Access Control (MAC) in Android. Every access between a process and a resource must be explicitly allowed by policy - anything not allowed is denied by default.
A policy rule defines: which process/domain can access, which object/type, and with what permissions.
What is an AVC Denial?
When a process attempts an operation not permitted by SELinux policy, the kernel blocks it and logs an AVC (Access Vector Cache) denial.
Key AVC Log Fields
- ▸scontext → source domain (the process being denied)
- ▸tcontext → target object type (what it tried to access)
- ▸tclass → object class (file, socket, dir, etc.)
- ▸permissions → the denied operations (read, open, write…)
What is audit2allow?
audit2allow is a helper tool that reads AVC denial logs and suggests SELinux allow rules to fix them.
Where is audit2allow in Newer AOSP?
In newer Android branches, audit2allow is a Python-based SELinux userspace utility located at:
How to Build audit2allow
Build Steps
source build/envsetup.sh lunch aosp_x86_64-eng m audit2allow # Output binary: out/host/linux-x86/bin/audit2allow
How to Feed AVC Logs to audit2allow
Step-by-step
# 1. Collect AVC denials from device adb shell dmesg | grep -i avc > avc.log # 2. Run audit2allow out/host/linux-x86/bin/audit2allow -p <sepolicy path in out> -i avc.log # 3. Review generated rules carefully # before adding them to .te policy files
Important Caveat
audit2allow is a debugging aid - not a policy generator. Blindly applying its suggestions can over-permission your system. Always understand why a denial is happening and whether the access is architecturally correct before adding a rule.