On 10/12/2016 05:57 AM, peng fei wrote:
> I want to modify sepolicy and verify it.
> 
> First,
> 
> I download the android4.4.4 sepolicy, and modify file.te and
> file_context, add a new type sec_file.
> #/data/audit
> type sec_file, file_type, data_file_type;
> /data/audit(/.*)?       u:object_r:sec_file:s0
> 
> --
> Second,compile policy.
> 
> m4 -D mls_num_sens=1 -D mls_num_cats=1024 -D target_build_variant=user  
>    -s security_classes initial_sids access_vectors global_macros
>  mls_macros mls policy_capabilities te_macros         attributes *.te
> roles users initial_sid_contexts         fs_use genfs_contexts
> port_contexts > policy.conf
> [pengfei@pengfei seandroid-4.4.4-external-sepolicy]$ checkpolicy -M -c
> 26 -o sepolicy policy.conf
> checkpolicy:  loading policy configuration from policy.conf
> checkpolicy:  policy configuration loaded
> checkpolicy:  writing binary representation (version 26) to sepolicy
> [pengfei@pengfei seandroid-4.4.4-external-sepolicy]$ file
> sepolicysepolicy: SE Linux policy v26 MLS 8 symbols 7 ocons
> --
> Then, I connected with N958St, which is also android4.4.4 .
> I adb push sepolicy to and file_contexts to /data/security/current.
> 
> root@N958St:/data/security/current # setprop sys.init_log_level 6
> root@N958St:/data/security/current # setprop selinux.reload_policy 1
> root@N958St:/data/security/current # dmesg | grep 'SELinux'
> <7>[ 3802.717538] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 3802.718476] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 3802.718497] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 3802.718513] SELinux:  84 classes, 1346 rules
> <6>[ 3802.719963] SELinux:  Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 3802.719978] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 3803.548149] SELinux: Loaded policy from /sepolicy
> <7>[ 4479.980176] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4479.981074] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4479.981095] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 4479.981107] SELinux:  84 classes, 1346 rules
> <6>[ 4479.982588] SELinux:  Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 4479.982603] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 4480.187929] SELinux: Loaded policy from /sepolicy
> <7>[ 4503.340545] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4503.341450] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4503.341467] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 4503.341479] SELinux:  84 classes, 1346 rules
> <6>[ 4503.342907] SELinux:  Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 4503.342921] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 4504.009018] SELinux: Loaded policy from /sepolicy
> <7>[ 4524.927888] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4524.928835] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4524.928854] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 4524.928865] SELinux:  84 classes, 1346 rules
> <6>[ 4524.930319] SELinux:  Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 4524.930333] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 4525.218099] SELinux: Loaded policy from /sepolicy
> <7>[ 6609.537301] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 6609.538209] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 6609.538231] SELinux:  1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 6609.538243] SELinux:  84 classes, 1346 rules
> <6>[ 6609.539703] SELinux:  Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 6609.539717] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 6609.828011] SELinux: Loaded policy from /sepolicy
> 
> This is the result. 
> root@N958St:/data # ls -Z 
> drwx------ root     root              u:object_r:system_data_file:s0 audit
> 
> ---
> But I want to get the 
> drwx------ root     root              u:object_r:sec_file:s0 audit
> 
> ---please help me . Thanks advance.

Android 4.4 disabled reading of selinux policies from /data in commit
72888bfad80641537c8ab2dda2b22779284682d9 to external/libselinux
(included in Android 4.4.3 and 4.4.4).  IIRC, there were problems with
devices being bricked upon an OTA with an old, incompatible /data
policy.  That problem was resolved in Android 5.0 by adding a comparison
of a new /selinux_version file to /data/security/current/selinux_version
and ignoring the /data policy if they did not match, so Android 5.0 and
5.1 once again included the support for loading /data policies. Android
6.0 removed the permissions for loading /data policies in the default
SELinux policy due to concerns about misuse of it, but the code remained
and could be enabled through device-specific policy. Android 7.0 did
likewise. Current AOSP master removes the code entirely and prohibits
reloading of policy as part of the default policy, so you shouldn't
count on this feature remaining at all in stock Android.

BTW, SELinux in Android 4.4 is limited in that it only confines specific
root daemons; it does not confine apps.  App confinement did not come
into play in stock Android until Android 5.0.  If you want app
confinement in 4.4, you'd likely want to start from our old
seandroid-4.4.4 branch on bitbucket.  But life would be simpler if you
could just move to a modern Android version.

_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Reply via email to