>i had to delete the /data/security folder before reloading the "selinux_bundle.zip". Seems that updating the existing files/folders doesn't work in my environment.
Remember, if you create subsequent policy update bundles you will need to specify the -v option to buildsebundle with an incrementing version number in order for the update to be applied; the default is 1. By deleting the existing /data/security directory you are in effect resetting the version of the policy files, so it makes sense that it worked after that. The current selinux policy version can always be seen by the file /data/security/bundle/metadata/version after the first selinux_bundle has been applied. >Can you please tell me how i can recognize that an error appeared? Because of the way the ConfigUpdate mechanism (backend) is built, the only way to recognize selinux_bundle errors is with logcat or via event log messages. These types of errors typically will be with version, required hash, or signature mismatch. On Thu, Nov 28, 2013 at 8:47 AM, Severin Friede <[email protected]>wrote: > > > > 2013/11/27 Stephen Smalley <[email protected]> > >> On 11/27/2013 07:37 AM, Severin Friede wrote: >> > Dear Mr. Smalley >> > >> > thank you for your answer, I really appreciate that! >> > >> > as I mentioned, I wrote 2 test apps (s1 & s2). both are able to read and >> > write a file to their own internal storage folder and to a common >> folder on >> > the external storage (sdcard). So far it works as expected. >> > >> > 1) I create the external sdcard for an emulator with mksdcard, the >> > filesystem is fat32, so unfortunatly this won't work like you've >> explained. >> > >> > 2.) I tried to deny write permissions to internal and external storage >> for >> > 3rd party apps (untrusted apps). I modified the "untrusted_app.te" file >> and >> > uncomment the following lines: >> > >> > # Internal SDCard rw access. >> > #allow untrustedappdomain sdcard_internal:dir create_dir_perms; >> > #allow untrustedappdomain sdcard_internal:file create_file_perms; >> > >> > # External SDCard rw access. >> > #allow untrustedappdomain sdcard_external:dir create_dir_perms; >> > #allow untrustedappdomain sdcard_external:file create_file_perms; >> > >> > Then I rebuild the policy and loaded it through the SEAdmin App: >> > >> > buildsebundle -k build/target/product/security/testkey.pk8 >> > out/target/product/manta/root/* >> > >> > adb push selinux_bundle.zip /sdcard/ >> > >> > this stayed without success so I tried a different method >> >> Sorry, did you trigger the reload via SEAdmin after pushing the bundle? >> What error did you get? Did it unpack the files under /data/security? >> What version of Android are you using - master, 4.4, 4.3? >> >> > yes, i first compiled the policy, then pushed it via adb push and then > triggered the reload with SEAdmin. > Finally i could deny the read and write permissions to the external > storage for untrusted apps. i had to delete the /data/security folder > before reloading the "selinux_bundle.zip". Seems that updating the existing > files/folders doesn't work in my environment. Can you please tell me how i > can recognize that an error appeared? I am using Android 4.3. > >
