On 10/28/2014 02:10 PM, William Roberts wrote: > https://android-review.googlesource.com/#/c/111744 > > Obviously this is not a problem for you. I recall back in my early > days with SELinux trying to do this, and even in permissive mode, if I > did not define the domain attribute, I couldn't actually label the app > with the bare type. Do you know of any reason why? Or was it likely > something dumb I was doing. > > FYI this was on maguro.
Likely missing from the roles file. If you don't assign it the domain attribute, then the type won't be included there automatically and therefore won't be authorized for the role. In any event, I've decided against this particular approach. Further testing was suggesting that sandbox_app would end up containing most of domain.te + app.te rules anyway, so it likely is better to just work on moving the few rules that are truly optional out of domain.te and app.te to each domain that truly requires them, and explore enabling levelFrom=all for inter-app isolation. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
