On 09/18/2013 10:40 AM, E. Paul Ratazzi wrote: > > I'm using apol to help me understand my SEAndroid sepolicy file. I'd also > like to use apol's capability to search file contexts, but an index file is > needed. I'm wondering what would be the easiest way to generate a file > context index for the SEAndroid images I'm experimenting with. > > Off the top of my head, I can think a few different ways to do this, > including: 1) add secmds (along with libsefs, etc.) to what's in > system/core/toolbox, then run indexcon from inside the live device; 2) > install yaffs2 kernel support in my SELinux build environment, mount > system.img (perhaps after using simg2img), etc. and run indexcon from the > build environment; 3) generate an index at build time at the same time the > labeling is done; 4) others? > > Am I missing an obvious way of doing this? Are there any tools hidden > somewhere in the build tree that might make one of the above approaches > easier? > > Thanks for your insight and suggestions, > Paul
Not directly related, but on master, the emulator has switched to ext4 images rather than yaffs2. And the devices were already using ext4. So not sure it is worth investing in a solution that only works for yaffs2. I don't think it is worth porting over setools to run on the device; all analysis should be possible entirely on the build host even before installing the images to a device. If you try to mount the image on your build host, then you need to make sure you access it from a root process in a domain that has mac_admin permission or it won't be able to see the raw security contexts (the kernel will try to remap them to whatever policy is running on the build host). Unless of course your build host isn't running SELinux at all, in which case it is just fetching the raw extended attributes. You could certainly instrument the tools that build the filesystem images (mkyaffs2image from external/yaffs2/yaffs2/utils and make_ext4fs from system/extras/ext4_utils) to also generate the index files during the build. They already have all of the information available to them; it is just a matter of adding the file and its security context to the index file at the same point it is already setting the xattr. The last one seems best to me. But you are unlikely to get any patches that add libsefs or the like as dependencies for make_ext4fs accepted, both to avoid extraneous dependencies and due to the license on setools. So you'd have to maintain the patch yourself. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
