On Mon, Oct 7, 2013 at 2:52 PM, Tai Nguyen (tainguye) taing...@cisco.comwrote:
Hi,
We have a server that needs to read the client /proc/pid/cmdline.
Currently, file /proc/pid/cmdline belong to the domain of the running
process.
Is there any way that we can have a generalized rule for that
On Mon, Oct 7, 2013 at 3:13 PM, Tai Nguyen (tainguye) taing...@cisco.comwrote:
This will work, but this will give the server access to all files and dir
on the system, right? So, it will give the server more privilege that
needed. We just want to give the server access to the /proc/pid/cmdline
DAC permissions You would need MAC permission DAC_override.
You should invoke the command as su... So you transition to the su domain.
Bill
On Oct 2, 2013 2:08 PM, Tai Nguyen (tainguye) taing...@cisco.com wrote:
All,
We have the following rules
allow shell shell_data_file:dir
I didn't say it did...and don't add that. You're uid 0 differs from the
owner and group
On Oct 2, 2013 2:15 PM, Tai Nguyen (tainguye) taing...@cisco.com wrote:
But why does shell need DAC_override if shell has all permissions on dir
and files?
Thanks,
Tai
From: William Roberts
Typically if your kernel freaks out when you turn on selinux YOUR kernel is
broken. Many SoC vendors carry out of tree changes and break kernels.
On Oct 2, 2013 2:59 PM, Satya Durga Srinivasu Prabhala
sat...@codeaurora.org wrote:
Hi,
We are observing multiple issues after enabling SELinux on
, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
hosted by Linux Foundation
** **
*From:* owner-seandroid-l...@tycho.nsa.gov [mailto:
owner-seandroid-l...@tycho.nsa.gov] *On Behalf Of *William Roberts
*Sent:* Wednesday, October 02, 2013 12:35 PM
*To:* Satya
The macros:
selinux_manage_policy()
selinux_manage_mmac()
In te_macros. Wherever those
Are used, you want to use BOARD_SEPOLICY_REPLACE to override that file with
a version the does not include that ability.
AFAIK, on branch se-android only init can do this. I looked casually as
well as I can
On Thu, Sep 12, 2013 at 5:49 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 09/11/2013 11:57 PM, William Roberts wrote:
https://bitbucket.org/seandroid/external-libselinux/pull-request/2/seapp_contexts-support-for-prefix-matching/diff
Thanks. I commented on the coding style
testing that reply vs reply all ends up on bitbucket (trying to duplicate
Suyongs success/fail)
On Wed, Sep 11, 2013 at 8:57 PM, William Roberts
bill.c.robe...@gmail.comwrote:
https://bitbucket.org/seandroid/external-libselinux/pull-request/2/seapp_contexts-support-for-prefix-matching/diff
On Fri, Sep 6, 2013 at 12:50 PM, Joshua Brindle
brin...@quarksecurity.comwrote:
Add libaudit support for adding directory watch rules.
Add rule parsing support to auditd.
Rule format matches auditctl. Currently only supports -w and -e.
Change-Id: I8bdaea1b5e2a216eec79cd8c9dae583de8295d26
On Mon, Sep 9, 2013 at 7:10 AM, Joshua Brindle brin...@quarksecurity.comwrote:
William Roberts wrote:
snip
+#define LINE_LEN 255
Dont like these hardcodes, can't we allow arbitrary sized lines?
Not sure it is worth the effort...
How likely is it that a rule can be beyond 255
LGTM
On Mon, Sep 9, 2013 at 12:05 PM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 09/09/2013 02:43 PM, Stephen Smalley wrote:
On 09/09/2013 02:22 PM, Stephen Smalley wrote:
On 09/09/2013 01:01 PM, Stephen Smalley wrote:
On 09/09/2013 09:47 AM, Stephen Smalley wrote:
On 09/06/2013
userdata.img
But when I instead used the –w option to fastboot to actually format
userdata first before flashing I think that fixed it.
Mike
From: William Roberts bill.c.robe...@gmail.com
Date: Monday, September 9, 2013 1:33 PM
To: seandroid-list@tycho.nsa.gov seandroid-list@tycho.nsa.gov
Subject
I always had selinux on this plus I usually wipe userdata weird
On Mon, Sep 9, 2013 at 10:44 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 09/09/2013 01:32 PM, William Roberts wrote:
Does anyone know what creates /data/media/0
Playing around with the manta I see its unlabeled
Does anyone know what creates /data/media/0
Playing around with the manta I see its unlabeled on 4.2.2. Am I missing
one of the multi-user patches uploaded to AOSP?
--
Respectfully,
William C Roberts
On Mon, Sep 9, 2013 at 11:22 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 09/09/2013 01:01 PM, Stephen Smalley wrote:
On 09/09/2013 09:47 AM, Stephen Smalley wrote:
On 09/06/2013 03:50 PM, Joshua Brindle wrote:
Add libaudit support for adding directory watch rules.
Add rule parsing
Hmm I am not sure, but after quickly looking at the manifest, I think you
want to clone master/seandroid and clone intent mac branches on top of
that..
repo init -u google url -b master
cp local_manifest.xml .repo/ (USING the intent_mac branch)
repo sync
On Sun, Sep 8, 2013 at 6:15 PM,
hmm weird I never hit this, as I use this on my internal tree, but I only
use REPLACE... The only reason I used m4 was for the include mentions. At
this point, just use cat.
On Sat, Sep 7, 2013 at 8:19 AM, Richard Haines
richard_c_hai...@btinternet.com wrote:
Now that seandroid will allow
I take that back. I am using union and it works just fine. However, I don't
have the insertion lines like your getting. I would just go to cat.
On Sat, Sep 7, 2013 at 11:21 AM, William Roberts
bill.c.robe...@gmail.comwrote:
hmm weird I never hit this, as I use this on my internal tree, but I
On Fri, Sep 6, 2013 at 2:07 PM, Joshua Brindle brin...@quarksecurity.comwrote:
Stephen Smalley wrote:
On 09/06/2013 03:50 PM, Joshua Brindle wrote:
Add libaudit support for adding directory watch rules.
Add rule parsing support to auditd.
Rule format matches auditctl. Currently only
We have recieved a pull request from CyanogenMod:
https://bitbucket.org/seandroid/external-sepolicy/pull-request/21/43-functionality-breakage-fixes/diff
--
Respectfully,
William C Roberts
Are you just curious about policy or all the code and parts that make it
work?
On Thu, Sep 5, 2013 at 2:02 PM, Alexander Miske alex33...@googlemail.comwrote:
Hello,
could anybody give me a hint how to start to learn SEAndroid.
I need to understand how the policys work, how many domains are
Well you could check out over ssh now rather than https. This is my
recommendation.
Or you can disable the certificate check:
http://stackoverflow.com/questions/3777075/ssl-certificate-rejected-trying-to-access-github-over-https-behind-firewall
On Sep 2, 2013 4:27 AM, xiaoxiang.fu
Why don't you work on adding tests to CTS?
You could also make a test suite that runs in the unconfined domain. If its
truly native, by using the init daemon to start it, you will inherently run
in that domain.
You could declare a one shot service in the init.rc and then just use
ctl.start
CTS can launch automatically
On Aug 28, 2013 10:22 AM, Tai Nguyen (tainguye) taing...@cisco.com
wrote:
On 8/28/13 9:00 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 08/27/2013 02:12 PM, Tai Nguyen (tainguye) wrote:
All,
We are looking for recommendation to support incremental
On Aug 27, 2013 8:12 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 08/26/2013 08:29 PM, William Roberts wrote:
On Aug 26, 2013 4:41 PM, Stephen Smalley s...@tycho.nsa.gov wrote:
I think I'd rather have an explicit extraCategories= output selector.
But you'd need to expand the number
On Aug 26, 2013 8:53 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 08/23/2013 04:41 PM, William Roberts wrote:
On Fri, Aug 23, 2013 at 1:40 PM, Stephen Smalley s...@tycho.nsa.gov
wrote:
Ok, I don't think that is too hard, just a matter of having libselinux
use the appropriate library
and then differentiated from there:
1. All files
2. Mac perms
3. Set 1 - set 2
On Aug 26, 2013 9:30 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 08/26/2013 09:19 AM, William Roberts wrote:
On Aug 26, 2013 8:53 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 08/23/2013 04:41 PM, William Roberts wrote
On Mon, Aug 26, 2013 at 9:55 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 08/26/2013 12:22 PM, William Roberts wrote:
I started a thread with Stephen about implementing a way to adjust the
sensitivity portion of the MLS field in seapp_contexts. We have differing
ideologies
On Aug 26, 2013 4:41 PM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 08/26/2013 04:03 PM, William Roberts wrote:
On Mon, Aug 26, 2013 at 10:15 AM, Stephen Smalley s...@tycho.nsa.gov
wrote:
On 08/26/2013 01:03 PM, William Roberts wrote:
On Mon, Aug 26, 2013 at 10:00 AM, Stephen Smalley s
Another issue exists with reloadable policy support that I avoided at
Samsung by relying on their willingness to apply system updates via OTA.
Right now, relabeling anything is impossible on anything except an OTA,
else you need to explicitly restorecon the file. Even then, userdata
typically
...@quarksecurity.comwrote:
William Roberts wrote:
Another issue exists with reloadable policy support that I avoided at
Samsung by relying on their willingness to apply system updates via OTA.
Right now, relabeling anything is impossible on anything except an OTA,
else you need to explicitly
On Fri, Aug 23, 2013 at 1:19 PM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 08/23/2013 03:16 PM, William Roberts wrote:
Thoughts on versioning:
So a problem exists where an ota, or userdata update can partially update
the files. Also, an OTA can come in that contains a newer policy
On Fri, Aug 23, 2013 at 1:40 PM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 08/23/2013 04:24 PM, William Roberts wrote:
On Fri, Aug 23, 2013 at 1:19 PM, Stephen Smalley s...@tycho.nsa.gov
wrote:
If we go the signed zip route, let's use a whole-file signature (as used
by OTA updates
Bundle do anything smart and send it piecemeal and store it on disk?
On Fri, Aug 23, 2013 at 4:24 PM, William Roberts bill.c.robe...@gmail.com
wrote:
On Fri, Aug 23, 2013 at 1:19 PM, Stephen Smalley s...@tycho.nsa.govwrote:
On 08/23/2013 03:16 PM, William Roberts wrote:
Thoughts
with the current code. It's just not using
a passed fd.
No I don't think its finalized either by looking at it. So its just passing
paths? so it could just pass the path to the policy zip.
On Fri, Aug 23, 2013 at 5:03 PM, William Roberts bill.c.robe...@gmail.com
wrote:
On Fri, Aug 23, 2013
This patch:
https://bitbucket.org/seandroid/external-sepolicy/pull-request/20/allow-unioning-of-selinux-network-labeling/diff
Allows the unioning and replacing of selinux-network.sh script, which may
be useful for those of you that want to control at build time your network
labelling if you have
Changing data labels, especially MLS, was a pain in the ass. In fact, I got
the privelege of writing a letter to VZW when I dropped MLS and had to have
all the field users wipe their data partition. This is where, a smart
relabeling service is needed.
On Wed, Aug 21, 2013 at 7:36 AM, Joshua
Yeah I have ran into this before. In Samsung we just sent an OTA, as it was no
big deal. We either need something like relabeld or a way for the kernel to set
the security attribute at file open based on the policy, rather than needing to
label I'm not a huge fan of labeling.
Bill
On Tue, Aug 20, 2013 at 10:25 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 08/20/2013 11:22 AM, William Roberts wrote:
Yeah I have ran into this before. In Samsung we just sent an OTA, as it
was no big deal. We either need something like relabeld or a way for the
kernel to set
On Tue, Aug 13, 2013 at 6:07 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 08/12/2013 10:22 AM, William Roberts wrote:
Since we are building outside of an OEMs tree, I would imagine you're not
using their private key to sign your applications that should be
platform,
etc (Except
Just wondering what the consensus, or others are using as the domain for
sideloaded Google Apps?
--
Respectfully,
William C Roberts
So that's the set signed with the plat key? I know what ConfigUpdater.apk
is, and that makes sense on non TW roms. The and GoogleBackupTransport.apk
also seems pretty fine. No idea what Stk is.
On Mon, Aug 12, 2013 at 10:30 AM, rpcraig rpcr...@tycho.ncsc.mil wrote:
On 08/12/2013 10:29 AM,
, William Roberts wrote:
However, IMO if I'm not the one holding the key it should go into
untrusted_app. I can't remember if when I was at Samsung if we resigned the
APK's or not, I am pretty sure we did not.
Does your untrusted_app domain include gapps that are part of the system
image; i.e
Probably not, I would relabel the fonts directory...
On Wed, Jul 10, 2013 at 1:16 PM, Peck, Michael A mp...@mitre.org wrote:
These are from SE for Android master running on a Galaxy Nexus.
Opera actually crashes at startup in both permissive mode and enforcing
mode so I can’t tell if
I figured I would give a hardlink a shot from the bind mount from
/pro/pid to /data back to /data... and it failed per my expectations,
cross link device.
On Fri, Jul 5, 2013 at 11:58 AM, William Roberts
bill.c.robe...@gmail.comwrote:
bind mount seems to not care about the context option
Chcon won't work, as 'a' is from proc ... it's not that big of a deal, but it
would be nice.
From: owner-seandroid-l...@tycho.nsa.gov
[mailto:owner-seandroid-l...@tycho.nsa.gov] On Behalf Of Robert Craig
Sent: Friday, July 05, 2013 1:40 PM
To: William Roberts
Cc: seandroid-list@tycho.nsa.gov
I added a SIGHUP handler to auditd. Upon receiving a SIGHUP, auditd will rotate
the logfiles.
Pull Request on bitbucket.
https://bitbucket.org/seandroid/system-core/pull-requests
Bill
It should work fine:
1. Ensure you have all the drivers per:
https://developers.google.com/android/nexus/drivers
2. perhaps do an adb format cache and adb fromat userdata
On Wed, Jun 19, 2013 at 8:06 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 06/19/2013 01:57 AM, Haiqing Jiang wrote:
Oh one last thing, how are you flashing, via update.zip?
On Sat, Jun 8, 2013 at 3:46 PM, William Roberts bill.c.robe...@gmail.comwrote:
Well your dissection of those denials is correct, you have
an unlabeled file that needs to be labeled. Is that file in the system.img
during build? You can
Craig robertpcr...@gmail.com
Could you give us your dmesg output on boot and run 'ls -Z /'. That would
certainly give us a bit more info.
On Sat, Jun 8, 2013 at 3:46 PM, William Roberts bill.c.robe...@gmail.com
wrote:
Oh one last thing, how are you flashing, via update.zip?
On Sat, Jun
try and use seandroid repos for this. I
also checked, CM does have HAVE_SELINUX switches in their
system/extras/ext4utils.
2013/6/8 William Roberts bill.c.robe...@gmail.com
Looks like make_ext4 isn't properly labeling system.img
Perhaps they don't have all the support in system/extras
noticed there is an -L switch for label. In my build,
there is no -L switch in make_ext4fs command. Could this means something?
Also, at the end of this build output, there is empty Label: between
Journal blocks and Blocks.
2013/6/8 William Roberts bill.c.robe...@gmail.com
Ok cool, that's
The MLS levels used before in the policy was to provide isolation between
multiple untrusted_apps. as the type rules allowed them to
access their own and other apps private app sandboxes. MLS constraints were
used to tighten this.
all aps, except untrusted_app run at s0, and untrusted_apps should
Yeah any of the specific types, like kgsl (guilty) or ion should be
generalized...
pmem and ion could probably share a type etc... and continuing this for
everything else that fits this.
On Tue, May 21, 2013 at 1:21 PM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 05/21/2013 04:13 PM, Peck,
for
everything. Obviously we will lose fine grained control, but have a much
more generic model that OEMs and others won't need to customize as much.
Bill
On Tue, May 21, 2013 at 1:30 PM, William Roberts
bill.c.robe...@gmail.comwrote:
Yeah any of the specific types, like kgsl (guilty) or ion should
Ok, will do. I was thinking of making this a KConfig optiion, this way an
ignorant userspace still works.
On Mon, May 20, 2013 at 9:20 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 05/16/2013 05:08 PM, William Roberts wrote:
Allow the audit subsystem to send audit events to both
One other question, should I append any new fields to structs to the end,
as to preserve alignment?
Bill
On Thu, May 16, 2013 at 11:16 AM, William Roberts
bill.c.robe...@gmail.comwrote:
On Thu, May 16, 2013 at 5:45 AM, Stephen Smalley s...@tycho.nsa.govwrote:
On 05/15/2013 09:52 PM
Allow the audit subsystem to send audit events to both the kernel
message buffer and auditd at the same time.
Change-Id: I53de6b121bb4d7ec0cd31fa9b7a9d31a1ff9782f
Signed-off-by: William Roberts w.robe...@sta.samsung.com
---
include/linux/audit.h | 10 ++
kernel/audit.c| 49
From eb7a0d5e711b555d38e3cd19c754e4a866bb07a4 Mon Sep 17 00:00:00 2001
From: William Roberts w.robe...@sta.samsung.com
Date: Wed, 15 May 2013 18:12:31 -0700
Subject: [PATCH] Enable splitting the logs to both auditd and kernel
simultaneously
Allow the audit subsystem to send audit events to both
On Wed, May 15, 2013 at 6:52 PM, William Roberts
bill.c.robe...@gmail.comwrote:
From eb7a0d5e711b555d38e3cd19c754e4a866bb07a4 Mon Sep 17 00:00:00 2001
From: William Roberts w.robe...@sta.samsung.com
Date: Wed, 15 May 2013 18:12:31 -0700
Subject: [PATCH] Enable splitting the logs to both
On Wed, May 15, 2013 at 6:55 PM, William Roberts
bill.c.robe...@gmail.comwrote:
On Wed, May 15, 2013 at 6:52 PM, William Roberts bill.c.robe...@gmail.com
wrote:
From eb7a0d5e711b555d38e3cd19c754e4a866bb07a4 Mon Sep 17 00:00:00 2001
From: William Roberts w.robe...@sta.samsung.com
Date
Are their any characters that cannot be used in a security label, that we
can safely use a delimiter if we went with reusing the seclabel option in
init.rc for this?
On Thu, May 9, 2013 at 3:05 PM, William Roberts bill.c.robe...@gmail.comwrote:
Although I am not sure how Google would
Anyone else getting this when they compile the mako kernel?
$ make mako_defconfig -j16
warning: (ARCH_MSM_KRAITMP ARCH_MSM_CORTEX_A5) selects
HAVE_HW_BRKPT_RESERVED_RW_ACCESS which has unmet direct dependencies
(HAVE_HW_BREAKPOINT)
warning: (ARCH_MSM_KRAITMP ARCH_MSM_CORTEX_A5) selects
: bapRsnTxRx.c:222
make[3]: *** [drivers/staging/prima/CORE/BAP/src/bapRsnTxRx.o] Error 1
make[3]: *** Waiting for unfinished jobs
I resolved it when I switched to this compiler:
arm-eabi-4.6
Normally I use the newest, but it fails.
Bill
On Wed, May 8, 2013 at 4:59 PM, William Roberts
Their is an issue with using the socket keyword in the init.rc when the
service is started with logwrapper. The resulting socket stays in the init
domain, thus when the child process is finally invoked by logwrapper, it,
most likely, cannot access its socket. An example of this is on the Mako
(scon) there as well?
This way the behavior is use the default or whatever is in file_contexts...
Bill
On Tue, May 7, 2013 at 10:37 PM, William Roberts
bill.c.robe...@gmail.comwrote:
Their is an issue with using the socket keyword in the init.rc when the
service is started with logwrapper
Am I the only one getting a build error on 23fsck failing with created
userdata.img?
I just turned the flag off for the check in build_image.py
diff --git a/tools/releasetools/build_image.py
b/tools/releasetools/build_image.py
index 94a9fda..734ca34 100755
--- a/tools/releasetools/build_image.py
I have two pending pull requests on bitbucket for external/sepolicy:
1. run as should support appdomain -system_app not just untrusted_app
2. policy changes for renaming untrusted_app to thirdparty_app, and
supporting a black list policy domain for thirdparty_app if a sebool is set.
--
Let me add the link:
https://bitbucket.org/seandroid/external-sepolicy/pull-requests
On Mon, Apr 29, 2013 at 11:39 AM, William Roberts
bill.c.robe...@gmail.comwrote:
I have two pending pull requests on bitbucket for external/sepolicy:
1. run as should support appdomain -system_app not just
Support for building a revision mapping file with policy builds has been
submitted for review at:
https://bitbucket.org/seandroid/external-sepolicy/pull-request/14/initial-support-for-revision-mapping-file/diff
On Mon, Apr 22, 2013 at 11:36 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 04/22/2013 12:02 PM, William Roberts wrote:
Support for building a revision mapping file with policy builds has been
submitted for review at:
https://bitbucket.org/**seandroid/external-sepolicy/**
pull-request/14
)
and that works fine fixing both problems. Also used the new -s option and
tested okay.
Thanks
Richard
--- On *Fri, 19/4/13, William Roberts bill.c.robe...@gmail.com* wrote:
From: William Roberts bill.c.robe...@gmail.com
Subject: Re: checkseapp - duplicate entry query plus seg fault using -v
option
I have no problem with it dropping the duplicate and moving on, we could
have a strict mode if we want to enforce some come of duplicate semantics.
I think if we are going to tag log_info with __attribute__ we should
probably do it to all the logging functions. I can author a patch tomorrow
and
Yeah I was referring to just master... But I was also a little of date as
well.
On Apr 5, 2013 5:32 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 04/04/2013 08:41 PM, William Roberts wrote:
Do we still need checkpolicy, libsepol or libselinux in the local
manifest?
I thought we we're
Do we still need checkpolicy, libsepol or libselinux in the local manifest?
I thought we we're merged up on those.
--
Respectfully,
William C Roberts
Here is the first draft available, I need to clean up the error handling
and logging. If we want to go to a type=AVC or other messages we could go
that route as well, so I am open to suggestions.
https://bitbucket.org/billcroberts/system-core/commits/branch/master-formatted-auditd
--
On Thu, Feb 14, 2013 at 10:34 PM, Saurabh Sharma saurabh...@samsung.comwrote:
Hello William,
I was clear on this part but in my case when i am trying to connect to
a server socket i get write permission denial. Hence my assumption is when
rule has only connectto permission it should
What version of the code are you on? Did you sync to master?
I am assuming your trying to build SEAndroid as defined in the
instructions here:
http://selinuxproject.org/page/SEAndroid
On Sun, Feb 10, 2013 at 1:04 PM, Jaejyn Shin flagon22b...@gmail.com wrote:
Hi.
I want to make my own custom
https://bitbucket.org/seandroid/system-core/pull-request/3/auditd-to-use-direct-io-with-sync/diff
--
Respectfully,
William C Roberts
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
.
On Mon, Jan 28, 2013 at 2:57 PM, William Roberts
bill.c.robe...@gmail.com wrote:
random and urandom are allowed by domain, this is an MLS issue.
Try applying this patch:
diff --git a/device.te b/device.te
index 7818ce8..72c3e54 100644
--- a/device.te
+++ b/device.te
@@ -29,11 +29,11
Creating a pull request:
https://bitbucket.org/billcroberts/external-sepolicy
To start discussions on being able to support creating a pem file from
a base16 cert or modifying insertkeys to be able to use base16
encodings or maybe paths to apks...
Trying to add a pem file option to setool. This
-outform PEM
-print_certs
Or am i missing what you're trying to achieve?
On Tue, Jan 29, 2013 at 5:52 PM, William Roberts bill.c.robe...@gmail.com
wrote:
Creating a pull request:
https://bitbucket.org/billcroberts/external-sepolicy
To start discussions on being able to support creating
Updated pull requests per the comments, please review.
On Thu, Jan 24, 2013 at 1:22 PM, William Roberts
bill.c.robe...@gmail.com wrote:
All,
I have updated my pull requests for relocating the policy files.
external/libselinux:
https://bitbucket.org/seandroid/external-libselinux/pull-request
On Wed, Jan 23, 2013 at 11:57 AM, Stephen Smalley s...@tycho.nsa.gov wrote:
On 01/23/2013 02:50 PM, William Roberts wrote:
I have some patches I am cleaning up right now for moving the
/data/system policy files to their own location. Since those files are
key to security, as well
Bitbucket has support for code review, including inline comments. I
made pull requests from my repo to your repo for the policy file
relocation. This way we can handle the discussion off-line of Gerrit,
until they are ready to upload.
That's weird, if I recall emulated is used for the fuse mount. I wonder why
that app isn't going the normal route
On Jan 23, 2013 9:29 PM, Peck, Michael A mp...@mitre.org wrote:
An app I installed (Big Win Basketball) kept crashing whenever SELinux
enforcing mode was turned on. This is on
Just a hunch but does .* work?
On Jan 21, 2013 7:20 PM, William Roberts bill.c.robe...@gmail.com wrote:
I ran a property contexts file through checkfc to see what the result
was and the only issue it has is expanding the * for default. If you
comment that out and try to add a duplicate label
On Fri, Jan 18, 2013 at 10:33 AM, Stephen Smalley
stephen.smal...@gmail.com wrote:
On Thu, Jan 17, 2013 at 8:15 PM, William Roberts
bill.c.robe...@gmail.com wrote:
This seems suspect, any good reason why this is there? Is system
server too much of a pain to scope down?
allow system
Some recent changes in external/mockwebser, a rename of their module
has broken the build:
commit 33cba0d1154f31a26682a60c7a02ca51e1d39558
Author: Brian Carlstrom b...@google.com
Date: Thu Jan 17 16:18:58 2013 -0800
Rename mockwebserver-hostdex to mockwebserver-host
Change-Id:
Change-Id: Ief2e9617e6b5ce569d5ed72166f1fd5d13c038b5
---
sepolicy/file_contexts | 5 +
1 file changed, 5 insertions(+)
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 1602cce..e808e7d 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -28,3 +28,8 @@
#
Depends on
https://android-review.googlesource.com/#/c/50180/
-Original Message-
From: William Roberts [mailto:bill.c.robe...@gmail.com]
Sent: Friday, January 18, 2013 12:22 PM
To: s...@tycho.nsa.gov
Cc: seandroid-list@tycho.nsa.gov; William Roberts
Subject: [PATCH] Label mpu device
We can drop this patch since mpu is used in many devices. I uploaded a
new patch to gerrit.
On Fri, Jan 18, 2013 at 12:24 PM, William Roberts
w.robe...@sta.samsung.com wrote:
Depends on
https://android-review.googlesource.com/#/c/50180/
-Original Message-
From: William Roberts
access to this repository.
Thanks,
Quentin.
From: owner-seandroid-l...@tycho.nsa.gov [owner-seandroid-l...@tycho.nsa.gov]
on behalf of William Roberts [bill.c.robe...@gmail.com]
Sent: Monday, January 14, 2013 7:52 PM
To: seandroid-list@tycho.nsa.gov
Can you cherry pick https://android-review.googlesource.com/#/c/49090/
to seandriod branch. I did not see it included.
--
Respectfully,
William C Roberts
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to
I just started some work on creating an Auditd for Android from
scratch to avoid any licensing issues that plagued the existing port
from mainline Android inclusion, the existing port of auditd can be
found here:
https://github.com/nwhusted/AuditdAndroid.
I created a local manifest for these
, January 08, 2013 9:51 AM
To: William Roberts
Cc: seandroid-list@tycho.nsa.gov
Subject: Re: multi user support
On 01/08/2013 09:23 AM, Stephen Smalley wrote:
On 01/07/2013 09:53 PM, William Roberts wrote:
Just wondering what the status of multi user support for tablets with
SEAndroid is, is Manta
did you push the new policy to the device?
1. rebuild the policy with make sepolicy
2. push the newly generated file_contexts file to data/system, look in
the output from make telling you where it installed the policy file
your concerned with.
3. adb shell setprop selinux.reload_policy 1
From 47089f2e2b733918e72995b8e94bcc30bc6c57ff Mon Sep 17 00:00:00 2001
From: William Roberts w.robe...@sta.samsung.com
Date: Mon, 7 Jan 2013 20:36:02 -0800
Subject: [PATCH] Drop unused variable
Change-Id: Ib8d0a9ef20ea7fe37857bda6fc044e8225c47f00
---
src/com/android/seandroid_manager
Must be missing some denials perhaps early in init? That is my only guess.
On Thu, Jan 3, 2013 at 9:38 AM, Alice Chu alice@sta.samsung.com wrote:
Hello,
Does anyone know where in init.rc is the best place to setenforce to 1?
We want to set enforcement mode. Here is what we observed:
301 - 400 of 426 matches
Mail list logo