On 06/17/2014 09:27 AM, "François GILBERT" wrote: > > Hi, > > I'm just curious about the way SE policy are updated. I mean, is there a > better way or a common way to update a SE policy? > Currently, I work with the file_context file in order to perform some > analysis between policies and I found some type that are not used in the > policy. So, does that mean that this types are deprecated and the > file_context is not yet updated, or this types are new defined types and > are not yet used in the policy? What is most likely? > In other words, can I expect file_context and policy from official release > (google, samsung, nsa, ...) to be consistent? > > Unfortunately I can't give an example from the current SEAndroid policy as > it seems consistent and it's more frequent with samsung's SE policy.
Not used (i.e. never appears in an allow rule) or not defined (i.e. no type declaration for the type in the policy at all)? The former can occur (and even be valid, as the type may nonetheless be authorized for use via attribute-based rules on attributes associated with the type). The latter is checked at build time by the checkfc program, run by external/sepolicy/Android.mk on sepolicy and the file_contexts file to validate that all entries are legal and defined, so if you are finding inconsistencies there it indicates that Samsung (or whomever) has either disabled the checking in their builds or is post-processing the file_contexts configuration after or outside the normal build process. We have seen indications that our build-time validation is not being applied by Samsung to other files (e.g. seapp_contexts, checked via checkseapp as part of external/sepolicy/Android.mk as well), so it wouldn't surprise me, but this is checked for AOSP and our policies. _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
