Didn't Stephen submit the patch for the ability to set context labels ? Granted its not a complete solution. Ideal solution IMO is doing it at build time like ext4. I looked into this some time back, and it didn't look to hard to add xattr support to ramdisk.
Also, you're missing one use case of seclabel. Suppose that init execs sh and you want those shell transitions in some other domain, ala the defunct init_shell domain. Now suppose a service that provides a serial console (not adbd) is running shell. You dont want that console in init_shell domain, you want it in shell, so an explicit seclabel on that instance of init domain exec shell can be used. On Feb 7, 2015 6:55 AM, "Nick Kralevich" <n...@google.com> wrote: > Currently, Android's init.rc supports a seclabel entry for services. This > allows you to specify an SELinux domain for a service, without relying on > the transition rules defined by policy. > > One of the primary reasons why the seclabel entries exist is because the > root filesystem doesn't support labeling. Labeling is only done on /system, > not on rootfs. As a result, we can't rely on SELinux's built in domain > transition code. > > Does anyone recall why the root filesystem doesn't support labeling? Is it > just something which hasn't been implemented yet, or some more fundamental > problem? > > We support setting the traditional file permissions on rootfs files, but > not selinux labels, which seems odd to me. > > This came up in the context of > https://android-review.googlesource.com/129923 > > -- > Nick Kralevich | Android Security | n...@google.com | 650.214.4037 > > _______________________________________________ > Seandroid-list mailing list > Seandroid-list@tycho.nsa.gov > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > To get help, send an email containing "help" to > seandroid-list-requ...@tycho.nsa.gov. >
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
