On 10/12/2016 05:57 AM, peng fei wrote:
> I want to modify sepolicy and verify it.
>
> First,
>
> I download the android4.4.4 sepolicy, and modify file.te and
> file_context, add a new type sec_file.
> #/data/audit
> type sec_file, file_type, data_file_type;
> /data/audit(/.*)? u:object_r:sec_file:s0
>
> --
> Second,compile policy.
>
> m4 -D mls_num_sens=1 -D mls_num_cats=1024 -D target_build_variant=user
>-s security_classes initial_sids access_vectors global_macros
> mls_macros mls policy_capabilities te_macros attributes *.te
> roles users initial_sid_contexts fs_use genfs_contexts
> port_contexts > policy.conf
> [pengfei@pengfei seandroid-4.4.4-external-sepolicy]$ checkpolicy -M -c
> 26 -o sepolicy policy.conf
> checkpolicy: loading policy configuration from policy.conf
> checkpolicy: policy configuration loaded
> checkpolicy: writing binary representation (version 26) to sepolicy
> [pengfei@pengfei seandroid-4.4.4-external-sepolicy]$ file
> sepolicysepolicy: SE Linux policy v26 MLS 8 symbols 7 ocons
> --
> Then, I connected with N958St, which is also android4.4.4 .
> I adb push sepolicy to and file_contexts to /data/security/current.
>
> root@N958St:/data/security/current # setprop sys.init_log_level 6
> root@N958St:/data/security/current # setprop selinux.reload_policy 1
> root@N958St:/data/security/current # dmesg | grep 'SELinux'
> <7>[ 3802.717538] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 3802.718476] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 3802.718497] SELinux: 1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 3802.718513] SELinux: 84 classes, 1346 rules
> <6>[ 3802.719963] SELinux: Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 3802.719978] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 3803.548149] SELinux: Loaded policy from /sepolicy
> <7>[ 4479.980176] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4479.981074] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4479.981095] SELinux: 1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 4479.981107] SELinux: 84 classes, 1346 rules
> <6>[ 4479.982588] SELinux: Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 4479.982603] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 4480.187929] SELinux: Loaded policy from /sepolicy
> <7>[ 4503.340545] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4503.341450] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4503.341467] SELinux: 1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 4503.341479] SELinux: 84 classes, 1346 rules
> <6>[ 4503.342907] SELinux: Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 4503.342921] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 4504.009018] SELinux: Loaded policy from /sepolicy
> <7>[ 4524.927888] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4524.928835] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 4524.928854] SELinux: 1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 4524.928865] SELinux: 84 classes, 1346 rules
> <6>[ 4524.930319] SELinux: Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 4524.930333] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 4525.218099] SELinux: Loaded policy from /sepolicy
> <7>[ 6609.537301] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 6609.538209] SELinux: 512 avtab hash slots, 1346 rules.
> <7>[ 6609.538231] SELinux: 1 users, 2 roles, 293 types, 1 bools, 1
> sens, 1024 cats
> <7>[ 6609.538243] SELinux: 84 classes, 1346 rules
> <6>[ 6609.539703] SELinux: Permission attach_queue in class tun_socket
> not defined in policy.
> <6>[ 6609.539717] SELinux: the above unknown classes and permissions
> will be denied
> <14>[ 6609.828011] SELinux: Loaded policy from /sepolicy
>
> This is the result.
> root@N958St:/data # ls -Z
> drwx-- root root u:object_r:system_data_file:s0 audit
>
> ---
> But I want to get the
> drwx-- root root u:object_r:sec_file:s0 audit
>
> ---please help me . Thanks advance.
Android 4.4 disabled reading of selinux policies from /data in commit
72888bfad80641537c8ab2dda2b22779284682d9 to external/libselinux
(included in Android 4.4.3 and 4.4.4). IIRC, there were problems with
devices being bricked upon an OTA with an old, incompatible /data
policy. That problem was resolved in Android 5.0 by adding a comparison
of a new /selinux_version file to /data/security/current/selinux_version
and ignoring the /data policy if they did not match, so Android 5.0 and
5.1 once again included the support for loading /data policies. Android
6.0 removed the permissions for loading /data policies in the default
SELinux policy due to concerns about misuse of it, but the code remained
and could be enabled through device-specific policy.