Re: disable dontaudit on SEAndroid

Thu, 21 Mar 2013 17:56:51 -0700 

Let's try that again.

Bill,

  See if this works for you. The sepolicy.stripped lives out in
out/target/product/maguro/sepolicy.stripped. And the policy.conf.stripped
lives in out/target/product/maguro/obj/ETC/sepolicy_intermediates


diff --git a/Android.mk b/Android.mk

index 24ef43a..93f4ea8 100644

--- a/Android.mk

+++ b/Android.mk

@@ -70,10 +70,12 @@ $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(sepolicy_policy.conf) : $(call build_policy, security_classes
initial_sids access_vectors global_macros mls_macros mls policy_capabiliti\
es te_macros attributes *.te roles users initial_sid_contexts fs_use
genfs_contexts port_contexts)
        @mkdir -p $(dir $@)

        $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D
mls_num_cats=$(PRIVATE_MLS_CATS) -s $^ > $@

+       $(hide) sed '/dontaudit/d' $@ > [email protected]



 $(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf)
$(HOST_OUT_EXECUTABLES)/checkpolicy

        @mkdir -p $(dir $@)

        $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o
$@ $<
+       $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o
$(ANDROID_PRODUCT_OUT)/$(notdir $@).stripped $<.stripped


 built_sepolicy := $(LOCAL_BUILT_MODULE)

 sepolicy_policy.conf :=




On Thu, Mar 21, 2013 at 8:54 PM, Robert Craig <[email protected]>wrote:

> Bill,
>
>
>
> On Thu, Mar 21, 2013 at 1:41 PM, Stephen Smalley <[email protected]>wrote:
>
>> On 03/21/2013 12:48 PM, William Roberts wrote:
>>
>>> ok, that works for me, I didn't know if it was a controllable flag
>>> through selinuxfs.
>>>
>>
>> I think the only way to do that would be wrap all dontaudit statements
>> with a conditional on a policy boolean.  Then you could switch the boolean
>> to enable/disable them.
>>
>> More easily we could just have the Makefile always post-process the
>> policy.conf to strip all dontaudit rules and generate a separate copy of
>> the binary policy.  Then you could easily adb push that to /data/security
>> and reload as needed.
>>
>>
>>
>>
>>
>>
>> --
>> This message was distributed to subscribers of the seandroid-list mailing
>> list.
>> If you no longer wish to subscribe, send mail to [email protected]
>> the words "unsubscribe seandroid-list" without quotes as the message.
>>
>
>

Reply via email to