The type should have the file_type attribute, but it should not have
the exec_type attribute. exec_type is only for types on executables
in /system used to transition into a new domain.
On Mon, Dec 1, 2014 at 12:14 AM, Inamdar Sharif <isha...@nvidia.com> wrote:
> Hi,
>>>Most likely you did not define your new file types with the file_type
>>>attribute and thus they are not allowed to be asssociated to the rootfs, or
>>>your policy lacks the change permitting file_type rootfs:filesystem
>>>associate;
> I had this all in my setup. Defining a type is the first requirement.
>
> I am now able to label test folder properly.
> But if I try to label the files in it (test/xyz)explicitly as exec it rans
> into a neverallow rule for relabelto.
>
> # Only recovery should be doing writes to /system
> neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
> { create write setattr relabelfrom relabelto append unlink link rename };
>
> Thanks.
>
> -----Original Message-----
> From: Stephen Smalley [mailto:stephen.smal...@gmail.com]
> Sent: Friday, November 28, 2014 10:01 PM
> To: Inamdar Sharif
> Cc: William Roberts; seandroid-list@tycho.nsa.gov
> Subject: Re: label folder in rootfs
>
> Then you should have an avc: denied message in your dmesg or logcat output
> that shows the cause of the permission denial. Most likely you did not
> define your new file types with the file_type attribute and thus they are not
> allowed to be asssociated to the rootfs, or your policy lacks the change
> permitting file_type rootfs:filesystem associate;
>
> On Fri, Nov 28, 2014 at 2:30 AM, Inamdar Sharif <isha...@nvidia.com> wrote:
>> Checked my kernel and I already have that patch in my tree.
>>
>> I tried the approach what Stephen mentioned but still no luck.
>>
>>
>>
>> This is what I get in logs.
>>
>> SELinux: Could not set contexts for /test: Permission Denied.
>>
>>
>>
>> Thanks.
>>
>>
>>
>> From: Seandroid-list [mailto:seandroid-list-boun...@tycho.nsa.gov] On
>> Behalf Of Inamdar Sharif
>> Sent: Friday, November 28, 2014 11:00 AM
>> To: William Roberts
>> Cc: seandroid-list@tycho.nsa.gov
>>
>>
>> Subject: RE: label folder in rootfs
>>
>>
>>
>> Thanks. Will give that a try.
>>
>>
>>
>> From: William Roberts [mailto:bill.c.robe...@gmail.com]
>> Sent: Thursday, November 27, 2014 8:46 PM
>> To: Inamdar Sharif
>> Cc: seandroid-list@tycho.nsa.gov; Stephen Smalley
>> Subject: RE: label folder in rootfs
>>
>>
>>
>> You need to remount it writeable too.
>>
>> Adb shell mount -orw,remount /
>>
>> Here's the patch:
>> https://android-review.googlesource.com/58360
>>
>> On Nov 27, 2014 7:09 AM, "Inamdar Sharif" <isha...@nvidia.com> wrote:
>>
>> Yes I had tried this in the first place.
>> But still it is unable to label the directories and files properly.
>>
>> Its says"Unable to set contexts :Read-only file system"
>>
>> Thanks.
>>
>> -----Original Message-----
>> From: Stephen Smalley [mailto:stephen.smal...@gmail.com]
>> Sent: Thursday, November 27, 2014 8:32 PM
>> To: Inamdar Sharif
>> Cc: seandroid-list@tycho.nsa.gov
>> Subject: Re: label folder in rootfs
>>
>> Define file_contexts entries for /test and /test/xyz and then call
>> restorecon /test and restorecon /test/xyz (or just
>> restorecon_recursive
>> /test) from your init.<board>.rc file.
>>
>> Please refrain from including signature blocks that impose
>> restrictions on redistribution of your email when posting to public mailing
>> lists.
>>
>> On Thu, Nov 27, 2014 at 9:08 AM, Inamdar Sharif <isha...@nvidia.com> wrote:
>>> Hi,
>>>
>>>
>>>
>>> Here is my problem :
>>>
>>>
>>>
>>> I want to create a new folder inside rootfs and add some files to it.
>>>
>>> Now I want to label this folder something else.
>>>
>>> Also the folder is read-only.
>>>
>>>
>>>
>>> For example,
>>>
>>> Suppose my folder is “test” and I want to label it as “test_file”
>>>
>>>
>>>
>>> Also would like to label the files explicitly
>>>
>>> /test -> test_file
>>>
>>> /test/xyz -> xyz_file
>>>
>>>
>>>
>>> So how do I do this??
>>>
>>>
>>>
>>> Thanks.
>>>
>>> ________________________________
>>> This email message is for the sole use of the intended recipient(s)
>>> and may contain confidential information. Any unauthorized review,
>>> use, disclosure or distribution is prohibited. If you are not the
>>> intended recipient, please contact the sender by reply email and
>>> destroy all copies of the original message.
>>> ________________________________
>>>
>>> _______________________________________________
>>> Seandroid-list mailing list
>>> Seandroid-list@tycho.nsa.gov
>>> To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> seandroid-list-requ...@tycho.nsa.gov.
>>
>> _______________________________________________
>> Seandroid-list mailing list
>> Seandroid-list@tycho.nsa.gov
>> To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> seandroid-list-requ...@tycho.nsa.gov.
>>
>>
>> _______________________________________________
>> Seandroid-list mailing list
>> Seandroid-list@tycho.nsa.gov
>> To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> seandroid-list-requ...@tycho.nsa.gov.
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
