On 11/18/2015 08:12 AM, GPS wrote:
I have a new system service that needs to access a protected system file
/dev/mydev0.
I was able to setup policies for a native daemon to access this file.
But daemon is started from init*.rc file. This works because init.rc
files can specify a SELinux domain to assign to daemon.
You should only need to specify the SELinux context in init.rc if the
daemon executable lives in the rootfs. If it lives in /system, you can
assign it a file context that will trigger a domain transition
automatically in policy without needing to specify a context in init.rc.
How do I start my android service so that service will be assigned a
specifc SELinux domain? Can an android service be launched from init.rc?
Alternatively, if I launch my service on BOOT_COMPLETED intent, how do
assign it correct SELinux domain?
I also asked
here:
http://stackoverflow.com/questions/33779286/selinux-policy-definition-for-android-system-service-how-to-setup
1. You could keep it as a native daemon and have it expose a socket or
binder interface that can be used by apps. You don't have to expose the
device directly to apps at all.
2. If you need to assign a specific domain to a system app, you can use
seapp_contexts for that purpose.
--
You received this message because you are subscribed to the Google Groups "Android
Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to android-security-discuss+unsubscr...@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
