Are you building our seandroid 4.4 based branch, or are you building the AOSP 4.4 branch? Depending on that answer the remedy to your problem will slightly differ. Some things to watch out for though.
If you're seeing a bunch of untrusted_app denials then that might indicate an incorrectly composed mac_permissions.xml (source at external/sepolicy/mac_permissions.xml, processed form at system/etc/security/mac_permissions.xml in your out directory) file. If you run a "ps -Z" do you see a bunch of untrusted_app domains for all your apps? The mac_permissions.xml file is responsible for taken the cert used to sign an apk and assign it an seinfo tag which is interpreted by the seapp_contexts (external/sepolicy/seapp_contexts) file. The seapp_contexts file then assigns the appropriate app domain (platform_app, shared_app, media_app, release_app, untrusted_app) based on a series of selectors (one of which is the seinfo tag). If you do have untrusted_app domains this means all your apps are dropping to the default stanza in the mac_permissions.xml file which then translates to untrusted_app because of the default seinfo tag. You'll need to get the correct certs into the mac_permissions.xml file to solve this. To remedy this you could try to construct an appropriate keys.conf (external/sepolicy/keys.conf) file. That file is used for controlling the mapping of "tags" found in the mac_permissions.xml signature stanzas with actual public keys found in pem files that you're using to resign your apps. The tags are then substituted out for the correct certs when building the image. You might also have success by simply adding the DEFAULT_SYSTEM_DEV_CERTIFICATE set to the directory of your new certs when building your image; doing this in lieu of building a keys.conf file. If none of these work you can always hand edit the mac_permissions.xml file with the correct cert. On Thu, Mar 6, 2014 at 7:11 PM, Jaejyn Shin <[email protected]> wrote: > Dear SEAndroid developers > > I ran the CTS Test using my Android 4.4 image(CTS: Android plan). > Then, there were lots of denial logs and most of the logs were generated > from "untrusted_app". > > the # of total denial logs: 31962 > the # of total denial logs from untrusted_app: 31958 > > To remove the denial logs and also to make secure my android device, I > consider to apply the recent SEPolicy from AOSP master branch ( > https://android.googlesource.com/platform/external/sepolicy/+/master) > > Can I apply the recent sepolicy to my Android 4.4 device ? > It is compatible and safe ? > > Thank you > Best regards > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
