>> Is that good enough or do you need this to be done for all device nodes
automatically when
created by ueventd?
I am not sure about the need to do it for all device. While setting the
symlink, i get the corresponding device and then label from policy and use
setfilecon to apply it. Is my understanding correct ?
On Wed, Jun 11, 2014 at 1:38 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 06/11/2014 04:38 PM, Dinesh Garg wrote:
> >>>If you know the partition number at build time
> > No. Suppose I have a device which has some build loaded. Now, I update
> > just HLOS images i.e. boot, system, userdata. This would not change
> > pre-flashed partition tables. Hence, I can't use any build time option
> > to generate the rule.
> >
> > However while device is coming up, we know what this link points to. Is
> > it possible to assign label to device that time?
> >
> > Example: static policy would have:
> >
> > allow daemon1 mylabel:chr_file {op1, op2, ...}
> >
> > Now when device comes up, I get that /mypartition is pointing to
> > /dev/block/mmcblk0p0N. So If I am able to apply label
> > to /dev/block/mmcblk0p0N during runtime, everything should be fine.
>
> (restored cc line for list)
>
> I suppose we could have a variant of restorecon that uses getfilecon()
> and setfilecon() rather than lgetfilecon() and lsetfilecon() so that you
> could invoke it from init.<board>.rc on /mypartition and it would use
> the provided pathname for lookup but apply the label to whatever is
> referenced by the symlink named by that pathname. Is that good enough
> or do you need this to be done for all device nodes automatically when
> created by ueventd?
>
>
>
>
>
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
