Re: Query regarding setool --policy

Tue, 12 Mar 2013 07:37:06 -0700 

Tried rebuilding + using the generated mac_permissions.xml file but
still failed. However if I remove the package name it does work:

setool --policy external/sepolicy/mac_permissions.xml SEAndroidDemo.apk
Policy passed for com.example.seandroiddemo (./SEAndroidDemo.apk).

<signer signature="-Removed key info-">
<!--  <package name="com.example.seandroiddemo"> -->
    <allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
    <allow-permission name="android.permission.SEND_SMS" />
    <allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <allow-permission 
name="com.example.seandroiddemo.permission.DEADLY_ACTIVITY" />
    <seinfo value="demo" />
<!--  </package> -->
</signer>

Richard

--- On Mon, 11/3/13, Stephen Smalley <[email protected]> wrote:

> From: Stephen Smalley <[email protected]>
> Subject: Re: Query regarding setool --policy
> To: "Richard Haines" <[email protected]>
> Cc: [email protected]
> Date: Monday, 11 March, 2013, 18:56
> On 03/11/2013 01:17 PM, Stephen
> Smalley wrote:
> > On 03/11/2013 12:49 PM, Richard Haines wrote:
> >> I've been using setool to generate entries for the
> mac_permissions file
> >> and come across a minor problem when using "setool
> --policy ..." with
> >> 4.2.2.
> >>
> >> I generate an entry as Example 1 and add it to
> mac_permissions.xml.
> >> I then run setool --policy as Example 2, but it
> states the app would
> >> be rejected.
> >> However I installed the updated mac_permissions.xml
> file and run Android
> >> with MMAC enforcing - The app works correctly (if I
> remove a permission
> >> the app fails to load - which is also correct).
> >>
> >> Does setool --policy just check the <default>
> entries, or am I missing
> >> something ??
> >
> > Try using the generated mac_permissions.xml file
> instead, i.e.
> > setool --policy
> >
> out/target/product/<device>/system/etc/security/mac_permissions.xml
> ...
> >
> > The source mac_permissions.xml file no longer contains
> the full
> > signature string but only a symbolic tag that is
> expanded during build
> > based on external/sepolicy/keys.conf.
> 
> It seems there was also a bug in setool.  Try running
> repo sync and 
> rebuilding.
> 



--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.

Reply via email to