François GILBERT wrote:
Hello SEAndroid folks, As I was browsing the rule of SEAndroid, I read a lot of "self" allow rules (i.e allow bluetooth self:tun_socket create_socket_perms;). And i was wondering about the usefulness of this rules.
Several object classes doesn't really have objects (capabilities, netlink_socket, etc)
so those rules use self and the object manager uses the domain as the subject and object.
Also, several object classes have objects that are created with the domain type (unix_stream_socket, tun_socket, etc)
so those rules are actually checked against an object that has the same type as the subject, because it created them.
<snip>
But for some rules like "allow bluetooth self:tun_socket create_socket_perms" I do not see the usefulness. I mean a type has all permission in its own domain? or I'm wrong and this permissions must be present in the policy as well as others permissions?
No, a type does not automatically have all permissions in its domain. SELinux does not have implicit rules, if there isn't an explicit allow rule it will be denied.
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
