On 06/24/2014 09:59 AM, Sloan, John [GCS] wrote: > You really went beyond the call of duty; I appreciate it. > I did look at the AOSP code in the HEAD and saw that it was quite different. > I spent yesterday afternoon debugging the SELinuxMMAC.java code. > I instrumented the code to see what path it was taking and it turns out that > your second bullet item seems to be the case. > Not sure why yet, since the stanzas I began with were generated by setool. > Some of our apps got the correct SEINFO value, and some fell through to > "untrusted_app". > (I'm a kernel/device driver/platform kind of guy, even in the Android realm, > so the middleware is bit mysterious to me.) > What worked (for this prototype anyway) was hand coding something like (doing > this from memory) > > <package name="com.foo.bar"> > <allow-all/> > <seinfo value="xyzzy"/> > </package> > > with no signature, for our own internal applications. > Other variations might work too, that's just what got me past the audits for > now. > This works for the time being until I can examine this a little closer.
So, just FYI: - Global package stanzas outside of a signer stanza are no longer supported by our current SELinuxMMAC.java (ditto for AOSP), and - The permission stanzas and checking have gone away in our current SELinuxMMAC.java (and never existed in AOSP), obsoleted by EnterpriseOps (EOps). This was discussed in: http://marc.info/?l=seandroid-list&m=138384959306669&w=2 and http://marc.info/?l=seandroid-list&m=138678470927071&w=2 _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
