I'm happy with it being centralized. I only sent the patch to Gerrit because I thought you guys would concentrate on the seandroid branch and Google would maintain the vanilla Android branch.
If I find anymore vanilla policy problems I'll send them just to the list. Richard ________________________________ From: rpcraig <[email protected]> To: Richard Haines <[email protected]> Cc: seandroid <[email protected]> Sent: Friday, 16 August 2013, 12:56 Subject: Re: Allow zygote to launch apps in enforcement mode On 08/16/2013 07:36 AM, Richard Haines wrote: I've just uploaded this patch to Gerrit, however it only applies to the vanilla >Android policy: > > > >When SELinux is in enforcement mode it is not possible to launch apps. >This rule will also allow the system to initialise even if enforcement >mode is enabled during the boot process. > >Change-Id: I922b98267964e888faa36762c49c02661824d38c >Signed-off-by: Richard Haines <[email protected]> >--- > system.te | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/system.te b/system.te >index fc76cd4..8734485 100644 >--- a/system.te >+++ b/system.te >@@ -9,3 +9,5 @@ unconfined_domain(system); > > # Create a socket for receiving info from wpa. > type_transition system wifi_data_file:sock_file system_wpa_socket; >+# Allow zygote to launch apps >+allow system self:zygote { specifyseinfo specifyids }; >-- >1.8.3.1 > I certainly agree that we need to fix these types of issues. However, we are presently working on fixing the delta that exists between the SE for Android ref policies and that which exists in AOSP. We currently have 5 other patches uploaded that will help bring the AOSP device specific policy inline with SE for Android. I'm not sure if doing this piecemeal will be much benefit. I would think that having multiple people trying to bring the policy inline will be a big headache. Your patch will be part of the larger one offered by us though. I'm open to differing opinions on this though.
