Hi all,
I had created a new directory in "/data/mydir" and labelled it in the
file_contexts as
/data/mydir(/.*)? u:object_r:my_data_file:s0
in file.te i defined the new type as
type my_data_file, file_type, data_file_type, mlstrustedobject;
in my type enforcement file "myapp.te" i had added the following rule
allow my_app my_data_file:dir create_dir_perms;
allow my_app my_data_file:file create_file_perms;
all the files are located in device/lge/hammerhead/sepolicy directory
my seapp_contexts contains
user=_app seinfo=mydomain domain=my_app type=app_data_file levelFrom=user
now only apps running in mydomain can be able to read & write to that
directory
but the problem is that even root user is having access to /data/mydir.
i.e through shell
in su mode i am able to write/read to the files in /data/mydir.
now my question is can we restrict the access to only apps running in
mydomain. so that even root cannot access that directory. how can i
achieve this.
is keeping mlstrusted object in file.te created this problem.
Please help me in this issue i am using seandroid 4.4.4 branch
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
