On Wed, Jan 23, 2013 at 11:57 AM, Stephen Smalley <[email protected]> wrote: > On 01/23/2013 02:50 PM, William Roberts wrote: >> >> I have some patches I am cleaning up right now for moving the >> /data/system policy files to their own location. Since those files are >> key to security, as well as the reload prop, these really need to be >> protected. I am concerned that the system_data_file domain could grow >> to large, given customizations oem's due on Android. Also, by giving >> it it's own type, the allow rules really stand out. >> >> In general, I want to see how the community feels about this? >> >> I am also up in the air on what to name the type and the location on >> /data... >> >> I was thinking /data/security and label them as security_file.. >> >> Also we have to make sure we label mac_permissions.xml in the system >> image. Obviously the allow rules will have to be updated, I was >> thinking along the lines of a nice macro(s), that make it clear this >> can manage policies. > > > Agree with the concept. Not overly concerned about the location or type as > long as it is easily separated from the rest of data; could even be a > subdirectory of /data/system, e.g. /data/system/security or > /data/system/sepolicy.
I don't want to do a subdir of /data/system as I didn't see it get created in generic init.rc and don't want to be the one to make it. However, I think /data/security is reasonable to me. > > I don't think we need to label mac_permissions.xml in the system image > differently however. Unlike /data/system and the system_data_file type, the > default system_file type for /system files is not writable by any confined > domain. We can do that because system is mounted read-only anyway, so there > is never a legitimate reason to write to it at runtime except for updates. > Agreed, for some reason I always think its in data...dummy :-P -- Respectfully, William C Roberts -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
