Yes , that I have tried and it works fine already.
But here the problem doesnot seem as simple as we are thinking.
Whatever we do its going to hit some or the other neverallow rule.
For, ueventd, healthd, adbd, /sbin is labelled as rootfs which is why it works.
But for /test it is labelled as test_file and the /test/xyz is labellled as
xyz_file.
We have rules for rootfs but when its something different then its going to hit
some neverallow rule
For example what Stephen suggested it will hit the below neverallow rule:
neverallow domain { file_type -exec_type }:file entrypoint;
Thanks.
--Sharif
-----Original Message-----
From: Stephen Smalley [mailto:s...@tycho.nsa.gov]
Sent: Tuesday, December 02, 2014 9:17 PM
To: Inamdar Sharif; Nick Kralevich
Cc: seandroid-list@tycho.nsa.gov
Subject: Re: label folder in rootfs
On 12/02/2014 02:49 AM, Inamdar Sharif wrote:
> This means that the exec outside /system will not be run by init.
>
> Is this a limitation??
>
> But what if I want to run a service(executable) before /system is
> mounted and after SELinux initialization.
>
>
>
> So is it possible to do this way??
Yes, see how we handle other services run from the rootfs rather than /system,
e.g. ueventd, healthd, adbd. You don't need a specific exec type on those
executables, just specify a seclabel option within the service stanza in the
init.rc file and init will explicitly transition to that context when executing
the program. You will need to allow your new domain rootfs:file entrypoint
permission so that it can be entered via that program, but you don't need to
label it specifically.
-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may
contain
confidential information. Any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recipient, please contact the
sender by
reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
