Re: [PATCH 6/8] libselinux: support ANDROID_HOST=1 on Mac

On 10/17/2016 04:24 PM, william.c.robe...@intel.com wrote: > From: William Roberts > > To build on mac, first build libsepol with > DISABLE_CIL=y and no DESTDIR set. DISABLE_CIL=y isn't required after the earlier patches, right? > > Secondly, build libselinux with ANDROID_HOST=y > > This conf

Re: [PATCH 6/8] libselinux: support ANDROID_HOST=1 on Mac

On Oct 18, 2016 08:41, "Stephen Smalley" wrote: > > On 10/17/2016 04:24 PM, william.c.robe...@intel.com wrote: > > From: William Roberts > > > > To build on mac, first build libsepol with > > DISABLE_CIL=y and no DESTDIR set. > > DISABLE_CIL=y isn't required after the earlier patches, right? Cor

Re: How to verify my policy?

On 10/17/2016 11:19 PM, peng fei wrote: > I want to achieve the result that just allow jd process to open and > read /data/audit/log/audit.log. > For this target, I add some rules in policy file. > And after that, I want to verify my policy. So, I create a test.c to > read /data/audit/log/audit.l

Extending file_contexts

I'm trying to extend aosp file_contexts by adding a new entry for /data/system/ifw. I've created a file_contexts under my vendor directory structure but if I try to use the new label, build crashes with unknown type. I'm trying to enable a platform_app to write to data/system/ifw and here is what I

Re: How to verify my policy?

On Oct 18, 2016 9:02 AM, "Stephen Smalley" wrote: > > On 10/17/2016 11:19 PM, peng fei wrote: > > I want to achieve the result that just allow jd process to open and > > read /data/audit/log/audit.log. > > For this target, I add some rules in policy file. > > And after that, I want to verify my po

Re: Extending file_contexts

On 10/18/2016 09:33 AM, Sava Mikalački wrote: > I'm trying to extend aosp file_contexts by adding a new entry for > /data/system/ifw. I've created a file_contexts under my vendor directory > structure but if I try to use the new label, build crashes with unknown > type. I'm trying to enable a platf

Re: Extending file_contexts

On Oct 18, 2016 9:34 AM, "Sava Mikalački" wrote: > > I'm trying to extend aosp file_contexts by adding a new entry for /data/system/ifw. I've created a file_contexts under my vendor directory structure but if I try to use the new label, build crashes with unknown type. I'm You need to declare the

Re: Extending file_contexts

On 10/18/2016 10:23 AM, William Roberts wrote: > On Oct 18, 2016 9:34 AM, "Sava Mikalački" > wrote: >> >> I'm trying to extend aosp file_contexts by adding a new entry for > /data/system/ifw. I've created a file_contexts under my vendor directory > structure but if I t

Re: Extending file_contexts

On Oct 18, 2016 10:33 AM, "Stephen Smalley" wrote: > > On 10/18/2016 10:23 AM, William Roberts wrote: > > On Oct 18, 2016 9:34 AM, "Sava Mikalački" > > wrote: > >> > >> I'm trying to extend aosp file_contexts by adding a new entry for > > /data/system/ifw. I've create

Re: Extending file_contexts

On Oct 18, 2016 10:41 AM, "Sava Mikalački" wrote: > > Thanks everyone for your quick answers. Yes, compilation worked once I defined the type in file.te. I will try this out and also will try with system_app, probably thats simpler as you said. Whats confusing me is that I get Permission denied ex

Re: Extending file_contexts

Thanks everyone for your quick answers. Yes, compilation worked once I defined the type in file.te. I will try this out and also will try with system_app, probably thats simpler as you said. Whats confusing me is that I get Permission denied exception when I try to create a file in that directory w

Re: Extending file_contexts

On 10/18/2016 10:41 AM, Sava Mikalački wrote: > Thanks everyone for your quick answers. Yes, compilation worked once I > defined the type in file.te. I will try this out and also will try with > system_app, probably thats simpler as you said. Whats confusing me is > that I get Permission denied exc

Re: Extending file_contexts

I'm not sure how to answer the ownership question. I'm trying to allow my application to write files in data/system/ifw which would be picked up by the IntentFilter and then block certain application components from executing. I have existing code that does that and it worked on Marshmallow but its

Re: Extending file_contexts

On 10/18/2016 10:23 AM, William Roberts wrote: > On Oct 18, 2016 9:34 AM, "Sava Mikalački" > wrote: >> >> I'm trying to extend aosp file_contexts by adding a new entry for > /data/system/ifw. I've created a file_contexts under my vendor directory > structure but if I t

Re: Extending file_contexts

On 10/18/2016 10:49 AM, Sava Mikalački wrote: > I'm not sure how to answer the ownership question. I'm trying to allow > my application to write files in data/system/ifw which would be picked > up by the IntentFilter and then block certain application components > from executing. I have existing co

Re: Extending file_contexts

Yes, this folder already exists in the system. If you place a file in a correct XML structure, it gets picked up by a file observer in IntentFirewall and thus enables filtering of application components. And yes, I want to have a dynamic way of handling disabled applications. As I said this worked

Re: Extending file_contexts

On Oct 18, 2016 10:50, "Sava Mikalački" wrote: > > I'm not sure how to answer the ownership question. I'm trying to allow my application to write files in data/system/ifw So this already exists, is this location for intent firewall policies? which would be picked up by the IntentFilter and then

Re: Extending file_contexts

On 10/18/2016 10:56 AM, Stephen Smalley wrote: > On 10/18/2016 10:49 AM, Sava Mikalački wrote: >> I'm not sure how to answer the ownership question. I'm trying to allow >> my application to write files in data/system/ifw which would be picked >> up by the IntentFilter and then block certain applica

Re: Extending file_contexts

On Oct 18, 2016 11:01, "Sava Mikalački" wrote: > > Yes, this folder already exists in the system. If you place a file in a correct XML structure, it gets picked up by a file observer in IntentFirewall and thus enables filtering of application components. And yes, I want to have a dynamic way of ha

Re: Extending file_contexts

On Oct 18, 2016 10:51, "Stephen Smalley" wrote: > > On 10/18/2016 10:23 AM, William Roberts wrote: > > On Oct 18, 2016 9:34 AM, "Sava Mikalački" > > wrote: > >> > >> I'm trying to extend aosp file_contexts by adding a new entry for > > /data/system/ifw. I've created a

Re: Extending file_contexts

On Oct 18, 2016 11:08, "Stephen Smalley" wrote: > > On 10/18/2016 10:56 AM, Stephen Smalley wrote: > > On 10/18/2016 10:49 AM, Sava Mikalački wrote: > >> I'm not sure how to answer the ownership question. I'm trying to allow > >> my application to write files in data/system/ifw which would be pick

Re: Extending file_contexts

Yup, exactly as Stephen said. When I set my app to share the system uid, I do get the following denial: type=1400 audit(0.0:15): avc: denied { write } for name="ifw" dev="dm-0" ino=678613 scontext=u:r:system_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 Here is the output

Re: Extending file_contexts

On Oct 18, 2016 11:43, "Sava Mikalački" wrote: > > Yup, exactly as Stephen said. When I set my app to share the system uid, I do get the following denial: > type=1400 audit(0.0:15): avc: denied { write } for name="ifw" dev="dm-0" ino=678613 scontext=u:r:system_app:s0 tcontext=u:object_r:system_dat

Re: Extending file_contexts

On 10/18/2016 11:43 AM, Sava Mikalački wrote: > Yup, exactly as Stephen said. When I set my app to share the system uid, > I do get the following denial: > type=1400 audit(0.0:15): avc: denied { write } for name="ifw" dev="dm-0" > ino=678613 scontext=u:r:system_app:s0 > tcontext=u:object_r:system_d

Re: Extending file_contexts

On 10/18/2016 12:26 PM, Stephen Smalley wrote: > On 10/18/2016 11:43 AM, Sava Mikalački wrote: >> Yup, exactly as Stephen said. When I set my app to share the system uid, >> I do get the following denial: >> type=1400 audit(0.0:15): avc: denied { write } for name="ifw" dev="dm-0" >> ino=678613 scon

Re: Extending file_contexts

And if I label it in init.rc (I have my custom one), would I need to call restorecon() anyways? On Oct 18, 2016 18:41, "Stephen Smalley" wrote: > On 10/18/2016 12:26 PM, Stephen Smalley wrote: > > On 10/18/2016 11:43 AM, Sava Mikalački wrote: > >> Yup, exactly as Stephen said. When I set my app

Re: Extending file_contexts

On 10/18/2016 01:01 PM, Sava Mikalački wrote: > And if I label it in init.rc (I have my custom one), would I need to > call restorecon() anyways? No, if you add a mkdir /data/system/ifw to your init.rc post-fs-data section, then init will create it with whatever label you specify in file_contexts,

Re: [PATCH 8/8] libselinux: add booleans.c to ANDROID_HOST=y recipe

On 10/17/2016 04:24 PM, william.c.robe...@intel.com wrote: > From: William Roberts > > We build booleans.c with DISABLE_BOOL set on Android host > and target. Add that file to the upstream Makefile. > > Signed-off-by: William Roberts Thanks, applied the series. > --- > libselinux/src/Makefil