Hi,
We've made some changes to the SEAdmin app and to the support of
device admin apis for SELinux and middleware MAC controls. We have
completely dropped all device admin support for any and all SELinux and
middleware MAC controls which includes the ability to toggle enforcing
status, flip booleans and to reload policy. Dropping this support in
the Device Policy Manager Service also means that compatible
functionality present in SEAdmin was dropped. What remains of SEAdmin is
now a simple policy reload mechanism that utilizes the ConfigUpdater
backend instead. This mechanism is completely independent of the prior
reload functionality which exclusively used device admin extensions.
Each of our supported policy files is compatible with one of our new
SEAdmin reload options; kernel related policies, install-time mac
(mac_perms file), eops (enterprise ops) and intent firewall policy. Our
seandroid (master) and 4.4 branches have all been updated with these
changes. In particular, changes were made to frameworks/base,
external/sepolicy and package/apps/SEAdmin projects.
Lastly, some minor work has begun and released on our master and
4.4 branches w.r.t Intent Firewall policy. Intent Firewall is a way to
broadly control ICC in Android in much the same way that our own
intent-mac achieved; restrict starting activities, starting/stopping
services and broadcasting intents. We have provided a very minimal
policy file at external/sepolicy/ifw.xml which serves to really just
outline some of the possibilities with the policy syntax versus actually
enforcing anything useful. Work will continue in this area as we bring
over some of the original intent_mac policy goals and ideas. We have
also provided a means to load this new policy using our buildifwbundle
tool (external/sepolicy/tools/build_bundle/). Once the policy bundle is
loaded onto the sdcard the SEAdmin app can be used to trigger a reload
of the ifw policy. In order to view any policy logging you will have to
dump the events log via logcat. Just invoke "adb logcat -b events" and
search for various "ifw_intent_matched" tags. The seandroid wiki at
http://selinuxproject.org/page/SEAndroid also provides further details.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
