> On 06/17/2014 09:27 AM, "François GILBERT" wrote: >> >> Hi, >> >> I'm just curious about the way SE policy are updated. I mean, is there a >> better way or a common way to update a SE policy? >> Currently, I work with the file_context file in order to perform some >> analysis between policies and I found some type that are not used in the >> policy. So, does that mean that this types are deprecated and the >> file_context is not yet updated, or this types are new defined types and >> are not yet used in the policy? What is most likely? >> In other words, can I expect file_context and policy from official >> release >> (google, samsung, nsa, ...) to be consistent? >> >> Unfortunately I can't give an example from the current SEAndroid policy >> as >> it seems consistent and it's more frequent with samsung's SE policy. > > Not used (i.e. never appears in an allow rule) or not defined (i.e. no > type declaration for the type in the policy at all)? The former can > occur (and even be valid, as the type may nonetheless be authorized for > use via attribute-based rules on attributes associated with the type). > The latter is checked at build time by the checkfc program, run by > external/sepolicy/Android.mk on sepolicy and the file_contexts file to > validate that all entries are legal and defined, so if you are finding > inconsistencies there it indicates that Samsung (or whomever) has either > disabled the checking in their builds or is post-processing the > file_contexts configuration after or outside the normal build process. > We have seen indications that our build-time validation is not being > applied by Samsung to other files (e.g. seapp_contexts, checked via > checkseapp as part of external/sepolicy/Android.mk as well), so it > wouldn't surprise me, but this is checked for AOSP and our policies. >
When I said "not used", I meant "not defined at all". I will ensure that I have the correct file context (I didn't extract them myself) but I think you're may be right about Samsung's file context... _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
