Tai Nguyen (tainguye) wrote:
All,
Currently, shell has very limited permission (i.e., can't do ps) and we
have to move to su domain to do those commands.
On our devices, su is not available, thus, we can't use the su
transition rule. Can we do type transition based on the shell id ?
Since seandroid uses both DAC and MAC, I think it make sense to have
unconfined_domain for account with low privilege so that it can't cause
much damage to the system.
For development I typically add;
permissive shell;
to the policy. In production we don't really want shell doing things
(esp since it is a main vector for root exploits).
Thanks,
Tai
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
