So adding the below line should work +user=system seinfo=platform domain=abc_app type=app_data_file levelFrom=user
I have defined abc_app domain. -----Original Message----- From: Stephen Smalley [mailto:[email protected]] Sent: Tuesday, September 22, 2015 7:14 PM To: Inamdar Sharif; [email protected] Subject: Re: Restrict access to a particular system app On 09/22/2015 06:01 AM, Inamdar Sharif wrote: > Hi Guys, > > > > How do I restrict the access of a particular dev/ node to only a > particular system app , other system app should not be able to access it?? > > > > For example, > > If I have node dev/abc , system apps as A, B, C. > > So I want system app A should only be able to access dev/abc > > > > System app B and C should not be able to access that node. > > > > So how do I prevent this scenario using SELinux?? You assign a specific type to the device node (i.e. define a type for it in your device/nvidia/<board>/sepolicy/device.te file, assign it to the /dev node in your file_contexts file) and assign a specific domain to the system app that is allowed access (i.e. define a new domain for the authorized app, assign a specific seinfo value based on signer and package in your mac_permissions.xml file, assign a specific domain and type based on seinfo in your seapp_contexts file). Then you can further add a neverallow rule to ensure that no other domains can ever access the device node. ----------------------------------------------------------------------------------- This email message is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. ----------------------------------------------------------------------------------- _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
