Re: fail to extend the policy

2016-11-04 Thread William Roberts 
On Fri, Nov 4, 2016 at 6:47 AM, peng fei  wrote:
> 1.  create an executable C program named setest to create , read and write
> hello.txt.
> 2.  push the setest to /data.  root@grouper:/data # ./setest this will
> create hello.txt in /data
> 3.  add setest.te in external/sepolicy :
>
> setest.te
>
> type setest, domain, mlstrustedsubject;
> type setest_exec, exec_type, file_type;
> permissive setest;
> domain_auto_trans(shell, setest_exec, setest)
> #I think I execute the setest by ./setest , so it can be transform from
> shell to setest.
> auditallow   setest   sec_file :   file rwx_file_perms;

setest is permissive, so it should audit all accesses not
explicitly marked with a dontaudit.

>
>
> 4.  add new context to the file_contexts.
>
> /data/hello.txtu:object_r:sec_file:s0

Labels are inherited by the parent directory unless explicitly changed, thus
/data/hello.txt will have the label of /data unless:
1. setest uses libselinux setfscreatcon() to change it at file creation
2. something (like setest) calls restorecon on the file path.

Android best practicies dictate that services and such have their own working
directory under /data, thus if you have an init.rc to make
/data/setest, init builtins
and relabling will ensure that /data/setest has the label in
file_contexts, and thus
any files underneath will inherit that label.

> /data/setestu:object_r:setest_exec:s0
>
>
> 5.  add new type in the file.te
>
> #/data/hello.txt
> type sec_file, file_type, data_file_type;
>
>
> 6.  compile the policy and adb push sepolicy,
> file_contexts,"seapp_contexts",'service_contexts','property_contexts  to
> /data/security/current.
>
> copy /selinux_version to /data/security/current.
>
> root@grouper:/data/security/current # setprop selinux.reload_policy 1

Dynamically loaded policy is not supported by Android anymore, so make
sure your device
supports this or you build and flash complete images (boot.img and
system.img must be flashed).

> root@grouper:/data/security/current # restorecon file_contexts

This doesn't do what I think you think it does :-P. This relabels the
file_contexts file
to what it is in file_contexts. libselinux opens file_contexts under
the hood, no arguments.

If you want to relabel /data you need to restorecon -R /data or reboot
the device.

> reboot

Reboot may not work with dynamically loaded policy because /data is
mounted and automatically
relabeled by init scripts and installd (for app data dirs). However,
this would occur likely before
the dynamically loaded policy is used for relabeling.

Since I don't know the state of your tree with respect to dynamically
loaded policy, its likely best
to just flash full images.

>
> ---
> but the result is :
>
> root@grouper:/data # ls -Z
> -rw--- root root u:object_r:sec_file:s0 hello.txt
> -rwxrwxrwx shell shell u:object_r:system_data_file:s0 setest
>
>
> the type of hello.txt is I expected as sec_file
> but the type of setest is not setest_exec
>
> 
> please help me,  thanks advance.
>
> ___
> Seandroid-list mailing list
> Seandroid-list@tycho.nsa.gov
> To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
> seandroid-list-requ...@tycho.nsa.gov.



-- 
Respectfully,

William C Roberts
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

gms app avc denied for debuggerd

2016-11-04 Thread Inamdar Sharif 
Hi,

I am getting the following avc denial
type=1400 audit(0.0:13): avc: denied { search } for comm="debuggerd" 
name="com.google.android.gms" dev="mmcblk0p23" ino=284592 
scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 
tclass=dir permissive=0

Is this a known issue??

Also debuggerd should not access app_data_file??

Thanks.

---
This email message is for the sole use of the intended recipient(s) and may 
contain
confidential information.  Any unauthorized review, use, disclosure or 
distribution
is prohibited.  If you are not the intended recipient, please contact the 
sender by
reply email and destroy all copies of the original message.
---
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.