Hi, Yesterday Google released android-4.4_r1.1 into AOSP along with the drivers for the Nexus 4, 7, and 10. We have merged android-4.4_r1.1 into the seandroid-4.4 branch and confirmed that mako, manta, and flo all at least boot in enforcing mode with our policy. The Enterprise Ops (EOps) code has also been ported over to seandroid-4.4.
SEAdmin will require some updates to address changes in the new API version in 4.4; until we are able to do so, we have set the target version to 18 in order to permit it to run on 4.4. Android 4.4 sets enforcing mode from init, so the system no longer starts in permissive mode. If you need to boot in permissive mode initially for bootstrapping a new board's policy, you can use the androidboot.selinux=permissive kernel commandline argument, or you can make specific domains permissive using the per-domain permissive statement. There are not yet kernel source trees for 4.4, but you can use the prebuilt kernels for the devices as they already include SELinux. For augmented auditing, install auditd (included in our seandroid-4.4 branch) and push the sample system/core/auditd/audit.rules file to /data/misc/audit to enable syscall audit and full pathname collection. master still does not include the 4.4 changes, so our seandroid branch remains based on 4.3 with AOSP changes. Only seandroid-4.4 is based on Android 4.4. If you previously cloned android-4.4_r1 with seandroid-4.4, you will need to repo init -b android-4.4_r1.1, download the latest local_manifest.xml file from the seandroid-4.4 branch of our manifests project and copy it to your .repo subdirectory, and run repo sync again. You will also need to obtain the drivers from the Nexus drivers page, https://developers.google.com/android/nexus/drivers -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
