On Mon, Feb 9, 2015 at 1:50 PM, Dong Zhou <dong.z...@gm.com> wrote: > Hi, Stephen > > Thanks bunch for your reply. Suppose if we really have special permission > requirements, what should be the "right" way to do that? > > As Stephen stated, "Presently the only way to do it is to copy the system_app.te rules into a new domain .te file and just rename system_app to your new domain name. If you wanted to do it more easily, you could take the system_app.te rules to a macro defined in te_macros and then call that macro from multiple .te files, or define a new attribute, change the system_app.te rules to use that new attribute instead of system_app, and assign system_app and your new domains to that attribute."
I think most of this is preference, I typically do the attribute approach. Ill create a system_app_domain attribute and then take all the allow system_app rules and change them to allow system_app_domain. Then from tere, attribute system_app to the system_app_domain. Then, the use that attribute in the new domain as well. I think this is the most "pure approach". Also, *i think* this ends up being the smallest binary representation of policy size as well; but don't quote me on that, I could be wrong. thanks again > > Joe > ________________________________________ > From: Stephen Smalley <stephen.smal...@gmail.com> > Sent: Monday, February 09, 2015 7:44 AM > To: Dong Zhou > Cc: seandroid-list@tycho.nsa.gov > Subject: Re: To allow custom domain to extend system_app type (SEAndroid) > > One caveat I would note is that you should not define new app domains > unless they truly have unique permission requirements. Domains are > equivalence classes. > > On Mon, Feb 9, 2015 at 1:07 AM, Dong Zhou <dong.z...@gm.com> wrote: > > Hi, there > > > > > > Sorry for this entry level question. > > > > > > In SEAndroid AOSP release, I understand domain and appdomain are > attributes, > > then you can define types inherit the access permissions from them. > > Actaully, system_app, platform_app and untrusted_app are all using > macros to > > inherit from appdomain attribute. My question is, if we want to define my > > customer domains, some inherit from system_app, some from platform_app or > > untrusted_app. But since those are already defined as types, how can I > > extend an existing type instead of an attribute? > > > > > > What is the recommended way to handle this? > > > > > > thanks a lot! > > > > > > Joe > > > > > > > > > > > > Nothing in this message is intended to constitute an electronic signature > > unless a specific statement to the contrary is included in this message. > > > > Confidentiality Note: This message is intended only for the person or > entity > > to which it is addressed. It may contain confidential and/or privileged > > material. Any review, transmission, dissemination or other use, or > taking of > > any action in reliance upon this message by persons or entities other > than > > the intended recipient is prohibited and may be unlawful. If you received > > this message in error, please contact the sender and delete it from your > > computer. > > > > _______________________________________________ > > Seandroid-list mailing list > > Seandroid-list@tycho.nsa.gov > > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > > To get help, send an email containing "help" to > > seandroid-list-requ...@tycho.nsa.gov. > > > Nothing in this message is intended to constitute an electronic signature > unless a specific statement to the contrary is included in this message. > > Confidentiality Note: This message is intended only for the person or > entity to which it is addressed. It may contain confidential and/or > privileged material. Any review, transmission, dissemination or other use, > or taking of any action in reliance upon this message by persons or > entities other than the intended recipient is prohibited and may be > unlawful. If you received this message in error, please contact the sender > and delete it from your computer. > > _______________________________________________ > Seandroid-list mailing list > Seandroid-list@tycho.nsa.gov > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > To get help, send an email containing "help" to > seandroid-list-requ...@tycho.nsa.gov. > -- Respectfully, William C Roberts
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
