On Sat, Feb 7, 2015 at 7:21 AM, William Roberts <bill.c.robe...@gmail.com> wrote:
> Didn't Stephen submit the patch for the ability to set context labels ? > Granted its not a complete solution. > Yes, that was https://android-review.googlesource.com/58360 (and other related kernel patches) > Ideal solution IMO is doing it at build time like ext4. I looked into this > some time back, and it didn't look to hard to add xattr support to ramdisk. > Sorry if I wasn't clear. This is exactly what I'm hoping we can do long term. Labeling at runtime is ok as a short term solution, but longer term, it feels like the selinux labels should be embedded within the ramdisk itself at build time. > Also, you're missing one use case of seclabel. Suppose that init execs sh > and you want those shell transitions in some other domain, ala the defunct > init_shell domain. Now suppose a service that provides a serial console > (not adbd) is running shell. You dont want that console in init_shell > domain, you want it in shell, so an explicit seclabel on that instance of > init domain exec shell can be used. > I've been trying to move all of those to dedicated shell scripts, and apply a proper label to the shell script itself. A perfect example of this is a change I uploaded yesterday: https://android-review.googlesource.com/129920 . I could have used seclabel on this service to force it into it's own domain, but relying on the labeling of the shell script feels like a cleaner solution. > On Feb 7, 2015 6:55 AM, "Nick Kralevich" <n...@google.com> wrote: > >> Currently, Android's init.rc supports a seclabel entry for services. This >> allows you to specify an SELinux domain for a service, without relying on >> the transition rules defined by policy. >> >> One of the primary reasons why the seclabel entries exist is because the >> root filesystem doesn't support labeling. Labeling is only done on /system, >> not on rootfs. As a result, we can't rely on SELinux's built in domain >> transition code. >> >> Does anyone recall why the root filesystem doesn't support labeling? Is >> it just something which hasn't been implemented yet, or some more >> fundamental problem? >> >> We support setting the traditional file permissions on rootfs files, but >> not selinux labels, which seems odd to me. >> >> This came up in the context of >> https://android-review.googlesource.com/129923 >> >> -- >> Nick Kralevich | Android Security | n...@google.com | 650.214.4037 >> >> _______________________________________________ >> Seandroid-list mailing list >> Seandroid-list@tycho.nsa.gov >> To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. >> To get help, send an email containing "help" to >> seandroid-list-requ...@tycho.nsa.gov. >> > -- Nick Kralevich | Android Security | n...@google.com | 650.214.4037
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
