Termux-app: "Permission denied" as non-root user after creating/editing files as root

After updating Termux today, I can't reproduce the issue. Closing now ...

Update: This bug has cropped up again.

I encountered the same issue and did some investigation.

This is a SELinux security context issue:

taimen:/data/data/com.termux/files/usr/etc # touch test
taimen:/data/data/com.termux/files/usr/etc # ls -lZ test
-rw-r--r-- 1 root    root    u:object_r:app_data_file:s0              0 2017-12-09 12:06 test

taimen:/data/data/com.termux/files/usr/etc # chown u0_a158:u0_a158 test
taimen:/data/data/com.termux/files/usr/etc # ls -lZ test
-rw-r--r-- 1 u0_a158 u0_a158 u:object_r:app_data_file:s0              0 2017-12-09 12:06 test

and can be resolved by running restorecon on the affected file:

taimen:/data/data/com.termux/files/usr/etc # restorecon -v test
SELinux: Loaded file_contexts
SELinux:  Relabeling /data/data/com.termux/files/usr/etc/test from u:object_r:app_data_file:s0 to u:object_r:app_data_file:s0:c512,c768.
taimen:/data/data/com.termux/files/usr/etc # ls -lZ test
-rw-r--r-- 1 u0_a158 u0_a158 u:object_r:app_data_file:s0:c512,c768    0 2017-12-09 12:06 test

Thanks, that fixed it! 👍
I wonder if it would be helpful to have a FAQ for issues, because I imagine many people will encounter this issue.

@Monsieur-Moony We have a FAQ at the termux wiki, but this issue isn't covered (feel free to contribute).

@Grimler91 Done! Feel free to review my edit and let me know if I can improve it.

@aleph4
I am this issue but the command restorecon tells

bash-4.4# restorecon -Rv /data/data/com.termux/files/usr/etc/ selinux_android_file_context_handle: Error getting file context handle (No such file or directory)

Help any one

you have to move files to /sdcard at which point the files aren't marked by selinux. Then mv them back to where you need them.

Where can I find this restorecon-package?
pkg search restorecon doesn't return anything, nor does $ restorecon.

EDIT: restorecon is a package installed on android itself. You will need to use adb shell instead of termux itself.

@jottr Were you trying restorecon via root or as a non-root user inside Termux?

On my device, restorecon is located in /system/bin, which is not in the PATH for a non-root user, and won't work even if invoked with its absolute path as a non-root user. I was able to use it alright in a superuser session (with tsu, but su should also work).

@Monsieur-Moony

$ tsu
localhost# restorecon
restorecon: command not found 

Strange. I have 2 Android devices (one rooted and one not), and they both have toybox installed on them, which contains packages like restorecon, getenforce etc for SELinux support.

I can only guess that either your device doesn't have /system/bin/toybox installed, or it does but toybox was compiled without SELinux support.

Misunderstanding on my part: I overread that it's not in termux's PATH but can be invoked by giving the full path /system/bin/restorecon, which works on my tmux installation as well.

Interesting, thanks for sharing the solution!

I have met same issue, and I rescue my termux at https://github.com/termux/termux-app/issues/542#issuecomment-391250591

but ... still get more errors:

$ pkg install tsu
Hit:1 https://termux.net stable InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  tsu
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 2252 B of archives.
After this operation, 36.9 kB of additional disk space will be used.
Get:1 https://termux.net stable/main all tsu all 2.0 [2252 B]
Fetched 2252 B in 0s (3138 B/s)
Selecting previously unselected package tsu.
dpkg: unrecoverable fatal error, aborting:
 unable to open files list file for package 'zsh': Permission denied
W: Problem unlinking the file /data/data/com.termux/files/usr/var/log/apt/eipp.log.xz - FileFd::Open (13: Permission denied)
W: Could not open file /data/data/com.termux/files/usr/var/log/apt/eipp.log.xz - open (17: File exists)
W: Could not open file '/data/data/com.termux/files/usr/var/log/apt/eipp.log.xz' - EIPP::OrderInstall (17: File exists)
E: Sub-process /data/data/com.termux/files/usr/bin/dpkg returned an error code (2)

is it any way to find all files with bad selinux label and to do a batch restore process to them?

and, as that said:
unable to open files list file for package 'zsh': Permission denied
I have uninstalled zsh, maybe some remaining of zsh has the bad selinux label, how to find and get rid of it ??

Could this way work

$cd /data/data/com.termux
$restorecon -v -R
$cd /data/app/com.termux-1/
$restorecon -v -R

to do with all files of termux??

Could this way work

$cd /data/data/com.termux
$restorecon -v -R
$cd /data/app/com.termux-1/
$restorecon -v -R

to do with all files of termux??

Running restorecon on Termux directory /data/data/com.termux shouldn't harm anything. It just restores normal SELinux labels for files at this path.

@xeffyr I have run

# restorecon -v -R /data/data/com.termux                                                                                                       
SELinux: Loaded file_contexts contexts from /file_contexts.
SELinux:  Relabeling /data/data/com.termux/lib from u:object_r:app_data_file:s0 to u:object_r:app_data_file:s0:c512,c768.
SELinux:  Relabeling /data/data/com.termux/files/home/.python_history from u:object_r:app_data_file:s0 to u:object_r:app_data_file:s0:c512,c768.
SELinux:  Relabeling /data/data/com.termux/files/home/.bash_history from u:object_r:app_data_file:s0 to u:object_r:app_data_file:s0:c512,c768.
SELinux:  Relabeling /data/data/com.termux/files/home/.viminfo from u:object_r:app_data_file:s0 to u:object_r:app_data_file:s0:c512,c768.
SELinux:  Relabeling /data/data/com.termux/files/usr/lib/python3.6/__pycache__/rlcompleter.cpython-36.pyc from u:object_r:app_data_file:s0 to u:object_r:app_data_file:s0:c512,c768.
SELinux:  Relabeling /data/data/com.termux/files/usr/var/lib/dpkg/info/zsh.list from u:object_r:app_data_file:s0 to u:object_r:app_data_file:s0:c512,c768.
SELinux:  Relabeling /data/data/com.termux/files/usr/var/lib/dpkg/status-old from u:object_r:app_data_file:s0 to u:object_r:app_data_file:s0:c512,c768.

it corrected some files I had not found.
now pkg install XXX works well, but, after such tossing, I can not run reboot command in termux with command not found prompt, as I remember, it can be run as non-root before.

I can not run reboot command in termux with command not found prompt, as I remember, it can be run as non-root before.

You can run a reboot in non-root mode only with adb. Normal Android OS shouldn't permit using such commands by regular apps such as Termux.

Since the wiki is quite lacking on this and suggests to just run restorecon which doesn't work from a normal termux shell, here is what to do on a rooted device to fix the SELinux context of a file (or do anything else that needs the proper SELinux tools around & working):

1. Open termux
2. Get root with tsu

3. Use this command to get a proper rooted system shell (the native shell with the SELinux tools, not termux):

   env -i USER=root "$(PATH=/system/xbin:/system/bin:/su/bin:/sbin:/magisk/.core/bin which su)" root --context u:r:shell:s0 --shell /system/bin/sh --command sh
   

   (if your device wasn't rooted with magisk, some paths may need to be adjusted)

4. Inside the system shell, cd to the directory with your file with wrong permissions

5. Now you can use restorecon -v <affectedfile>. Don't forget to check the result with ls -lZa and also fix the owner & permissions as necessary with chown and chmod! (e.g. if this is a file that should be used by another app located in that app's folder of which you messed up the permissions, then it needs to be owned by that app and read/executable or whatever the app requires on access)

Ran into this same issue. As stated, this has nothing to do with file ownership. I guess I accidentally installed one or more packages with sudo. Here is how I solved the issue (fingers crossed):

1. sudo dpkg -P all packages that were installed with sudo.
2. Activate a root shell with su -l root
3. run restorecon on all offending files, namely /data/data/com.termux/files/usr/var/lib/dpkg/status
4. I had to manually track down and delete a number of installed components as apt update spit out similar errors in succession.
5. I ran restorecon -v -R /data/data/com.termux multiple times and nothing broke, so it may be possible just to go with that command, though I still had to track down and delete other stuff.

Similar to the other suggestions posted above, but it may be necessary to delete and purge all components of packages installed with sudo. Several of these operations will require sudo, which meant I had to execute number 3 above multiple times to get pkg to update successfully.

I faced same issue when running Frida server. 'su' is allowed. I changed user to root and then run my commands

I was denied access installing express in termux please how can I solve that