On Nov 23, 2016 02:34, "peng fei" <fionapeng...@gmail.com> wrote: > > requirement: > system/bin/setest is a execuble program to read and write /data/hello.txt . I excepted just setest can read or wirte the file /data/hello.txt. > root@generic:/system/bin # ./setest > Hello, Software Weekly > ---------------------------------------------- > the details are as follows: > 1.add setest.te in /device/asus/flo/sepolicy : > > type setest, domain, mlstrustedsubject; > #setest is also permissive to permit setenforce. > type setest_exec, exec_type, file_type; > init_daemon_domain(setest) > permissive setest; > allow setest mysec_file:file rw_file_perms; > > 2.add setest.te in the file device/asus/flo/BoardConfigCommon.mk as follows: > > BOARD_SEPOLICY_UNION += \ > bluetooth_loader.te \ > bridge.te \ > setest.te \
Newer releases all use BOARD_SEPOLICY_DIRS. Verify which one you need. I can't recall offhand in what versions the switch was made. > > 3.add context in /device/asus/flo/sepolicyfile_contexts as follows: > /system/bin/setest u:object_r:setest_exec:s0 > > 4.I modify file.te in /external/sepoicy > > add > # /data/hello.txt > type mysec_file, file_type, data_file_type; > > I modify file_contexts in /external/sepoicy > add > /data/hello.txt u:object_r:mysec_file:s0 You really could add all of this in the device policy, no need to ever modify external sepolicy. On newer versions it's system/sepolicy FYI. Additionally, that file context entry won't work unless the binary is made selinux aware. Labels are inherited from the parent on the filesystem unless other actions are taken. Typically it's best to define a directory under /data that the init script can create. Init's builtins have the support to look at file contexts and label things correctly. So a simple mkdir /data/xxx will suffice in the init script. Then update the file context to label that and have your service create things under that file. Fyi: Also, you can't launch setest from the shell. It will run in the context of the shell and not the domain you defined. It needs to be started by init. You can use start/stop to start and stop the service. > > ----------------------------------------------------------------------------- > the results are as follows: > > I use the android5.1.1_r9 , > ## I recompile the whole system to make the change effective.### > [pengfei@pengfei asop]$ source build/envsetup.sh > [pengfei@pengfei asop]$ lunch aosp_arm-eng > [pengfei@pengfei asop]$ make > [pengfei@pengfei asop]$ emulator > adb shell > root@generic:/system/bin # ls -Z > -rwxr-xr-x root shell u:object_r:setest_exec:s0 setest > root@generic:/system/bin # ./setest > Hello, Software Weekly > #####setest is a execuble program to read and write /data/hello.txt .# > But when I use dmesg to have a look at the policy which I have made, it does not work. > details are as follows: > root@generic:/system/bin # dmesg | grep 'avc' > 1|root@generic:/system/bin # dmesg | grep 'setest' > 1|root@generic:/system/bin # > just get 1. > What's wrong with my policy change method? > I think the setest.te does not work as I expeced. > I cd /data/ and cat hello.txt . It works. I excepted just setest can read or wirte the file hello.txt > root@generic:/data # cat hello.txt > Hello, Software Weeklyroot@generic:/data # > > Please help me. Thanks advance. > > _______________________________________________ > Seandroid-list mailing list > Seandroid-list@tycho.nsa.gov > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.