On Wed, 2012-10-17 at 12:04 +0200, Alexandra Test wrote: > After rebuild the os, I can finally modify the policies sending the > new sepolicy.24 file > > I have still one question. > I put the phone in enforcing mode and then try to install an > application, do I need always to switch in permission mode and add > eventually the policies I need to install the application?
Just to clarify, there are two separate mechanisms, policies, and enforcing modes in SE Android: one at the kernel layer (SELinux), and one at the middleware layer (install-time MAC aka middleware MAC aka MMAC). The SELinux policy (sepolicy) won't prevent app installation; it just controls runtime actions of the app at the kernel layer. The install-time MAC policy (mac_permissions.xml) will prevent app installation if the app is not authorized for the requested Android permissions. You may need to toggle the install-time MAC mechanism between enforcing and permissive in order to install an app initially unless you have the .apk already available somewhere. If you have the .apk available to you, you can use setool to determine the requisite permissions and generate appropriate mac_permissions.xml entries for it. In either case, you only have to change policy if the app requires a permission not already granted to apps in its same security equivalence class, which is based on criteria such as the certificate by which it was signed and for the system apps, the UID in which the app runs. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
