On Thu, Feb 26, 2015 at 8:53 AM, Stephen Smalley <[email protected]> wrote:
> On 02/26/2015 12:46 AM, Dong Zhou wrote: > > Hi, SE Gurus > > > > > > Got a few questions regarding policy update. > > > > > > 1) we will have no SEAdmin on the device, so do we still need to > > use buildsebundle to create policy update? > > Neither SEAdmin nor buildsebundle are part of AOSP, so I guess you are > building one of our branches? > > If you want to ship a policy update to a device without performing an > OTA, you need to construct a policy update bundles in the expected > format (that's what buildsebundle does) and you need an app on the > device that can receive such bundles and generate the > android.intent.action.UPDATE_SEPOLICY intent to install the bundle > (that's what SEAdmin demonstrates). You are free of course to roll your > own tool and app if you wish; buildsebundle and SEAdmin are just > examples. I don't know what (if anything) Google uses. IIRC, we had > offered to upload buildsebundle to AOSP but they weren't interested. > > > 2) Once we we push the new policy files into /data/security/current, is > > system reboot a mandatory(or recommended) operation? > > The ConfigUpdate SELinuxPolicyInstallReceiver in the system_server will > unpack the bundle under a subdirectory of /data/security, symlink > /data/security/current to it, and then setprop selinux.reload_policy 1 > when it receives the intent, causing an immediate reload. However, > mac_permissions.xml changes do not take effect without a reboot, and > labeling changes in file_contexts are not retroactively applied without > a reboot (and no changes to /system labeling are possible without an OTA > upgrade). > Also, if the issue is in early boot, before /data is mounted, you wont be able to correct any issues there without an OTA. > > > 3) How to ensure updated sepolicy binary are from the original policy > > issuer and not be tampered with? > > The bundle has to be signed by a certificate from otacerts.zip or it > will be rejected by the ConfigUpdate mechanism. > > > BTW, we are using Lollipop, with both external/sepolicy and > > device/<device-name>/sepolicy > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. -- Respectfully, William C Roberts
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
