2013/6/3 Stephen Smalley <[email protected]>: > I assume you are referring to the Galaxy S4 policy?
Yes. > If so, then my impression is that they are not using the per-app MLS > category support from our sample policy but are instead only using MLS > categories for their container implementation. I can't speak to the > specifics of that, as it was done by Samsung, not us. You can see for > yourself by looking at their seapp_contexts configuration file and seeing > how/if it uses the levelFrom and level specifiers. Yes, this is true. > $ adb shell su 0 cat /seapp_contexts | grep levelFrom > user=_app seinfo=container domain=container_app type=container_app_data_file > levelFrom=container sdcard=/mnt_1/sdcard_ sdcardSuffix=_container > Also, my understanding is that the GS4 shipped with SELinux in permissive > mode by default, so you will have to put it into enforcing mode yourself to > have it enforce anything. At least the model I have seen also disabled all > AVC logging, so you would need to rebuild the kernel from source to enable > that for policy debugging. This is what I did. But when I enabled logging from kernel config (i.e: CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=y), there was no selinux|avc logs from dmesg & /proc/kmsg, and nothing in /data/misc/audit/. When I boot in enforcing mode, SElinux works great: I have some legit access denied. 2013/6/3 Stephen Smalley <[email protected]>: > If you are able to replace the seapp_contexts configuration on the device or > override it via /data/security/seapp_contexts, you could re-enable the > levelFrom support if you want such isolation, or you could define a separate > TE domain for your app. I will define a separate TE domain for my app. But how can I link my new domain policy, with the samsung sepolicy ? I have to port semodule(8) into my device, or can I get the /sepolicy file from my device to my computer and link with my new .pp using semodule_link(8) and flash back onto my device ? I think none of these solutions works. Thanks again! -- Thomas Coudray -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
