I'm not sure how to answer the ownership question. I'm trying to allow my
application to write files in data/system/ifw which would be picked up by
the IntentFilter and then block certain application components from
executing. I have existing code that does that and it worked on Marshmallow
but its not working on Nougat because of that permission denied exception
when creating a file in data/system/ifw folder. Does that help out in your
2016-10-18 16:47 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov>:
> On 10/18/2016 10:41 AM, Sava Mikalački wrote:
> > Thanks everyone for your quick answers. Yes, compilation worked once I
> > defined the type in file.te. I will try this out and also will try with
> > system_app, probably thats simpler as you said. Whats confusing me is
> > that I get Permission denied exception when I try to create a file in
> > that directory with a system app but there is no selinux avc denial
> > before the exception, it just fires the exception and thats it, so I'm
> > afraid if changing the sepolicy would even work.
> What's the ownership and mode of the directory?
> > 2016-10-18 16:35 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov
> > <mailto:s...@tycho.nsa.gov>>:
> > On 10/18/2016 10:23 AM, William Roberts wrote:
> > > On Oct 18, 2016 9:34 AM, "Sava Mikalački" <mikalac...@gmail.com
> > > <mailto:mikalac...@gmail.com <mailto:mikalac...@gmail.com>>>
> > >>
> > >> I'm trying to extend aosp file_contexts by adding a new entry for
> > > /data/system/ifw. I've created a file_contexts under my vendor
> > > structure but if I try to use the new label, build crashes with
> > > type. I'm
> > >
> > > You need to declare the type with the type keyword:
> > >
> > > type system_data_ifw, file_type;
> > >
> > > trying to enable a platform_app to write to data/system/ifw and
> here is
> > > what I have so far:
> > >> file_contexts:
> > >> /data/system/ifw(/.*)?
> > >> platform_app.te:
> > >> allow platform_app system_data_ifw:file create_file_perms;
> > >
> > > Platform applications shouldn't be creating stuff around the
> > > they should stick to their sandbox. I cant recall offhand, but a
> > > allow I wrote might assert itself on that allow rule.
> > Probably not since it is a new type he just defined. However, it
> > to me that DAC will be a problem for this use case, since platform
> > can be assigned arbitrary UIDs and thus won't be able to pass the DAC
> > checks on writing to /data/system/ifw unless you set up a group, map
> > permission to that group, assign that group to /data/system/ifw, and
> > make it group-writable. Simpler if you use a system_app or some
> > fixed UID app instead, although that carries its own set of issues.
> > --
> > I have only two questions: How much and give it to me.
I have only two questions: How much and give it to me.
Seandroid-list mailing list
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to