I've had the following problems concerning install MMAC after sync on
Friday (6th April):
1) After adding new entries in mac_permissions.xml to allow an app access
the install fails. In log:
W/SELinuxMMAC( 307): MMAC_DENIAL: Policy blacklisted permission
android.permission.WRITE_EXTERNAL_STORAGE for package com.example.seandroiddemo
W/PackageManager( 307): Installing application package
com.example.seandroiddemo failed due to policy.
W/PackageManager( 307): Package couldn't be installed in
/data/app/com.example.seandroiddemo-1.apk
The new mac_permissions.xml entry is:
<signer signature="sig-removed for email">
<package name="com.example.seandroiddemo">
<allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
<allow-permission name="android.permission.SEND_SMS" />
<allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
<allow-permission
name="com.example.seandroiddemo.permission.DEADLY_ACTIVITY" />
</package>
</signer>
I'm sure this did work on a previous release a few weeks ago. The log
states that the mac_permissions were processed ok:
I/SELinuxMMAC( 303): <package> inner tag: (com.example.seandroiddemo) assigned
allowed-permissions =>
I/SELinuxMMAC( 303): [android.permission.READ_EXTERNAL_STORAGE,
I/SELinuxMMAC( 303): android.permission.SEND_SMS,
I/SELinuxMMAC( 303): android.permission.WRITE_EXTERNAL_STORAGE,
I/SELinuxMMAC( 303): com.example.seandroiddemo.permission.DEADLY_ACTIVITY]
2) insertkeys.py does not union two or more mac_permissions.xml files
correctly. I used thisentry + the default mac_permissions.xml file:
<?xml version="1.0" encoding="utf-8"?>
<policy>
<signer signature="sig-removed for email">
<package name="com.example.seandroiddemo">
<allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
<allow-permission name="android.permission.SEND_SMS" />
<allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
<allow-permission
name="com.example.seandroiddemo.permission.DEADLY_ACTIVITY" />
</package>
</signer>
</policy>
The problem is that insertkeys.py adds two <policy> entries:
<policy>..default entries..</policy><policy>..new entries</policy>
(FYI - If I remove the <policy> tags insertkeys still fails to build ok)
The mmac_types.xml has the same problem. setool fails with a markup error
and SELinuxMMAC.java does not load the second segment.
3) This is not a bug but a suggestion. As you now allow multiple
mmac_types.xml files in sepolicy/Android.mk, will multiple
intent_mac.xml files be supported as each mmac_types entry will
generally require a corresponding intent_mac entry.
Richard
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
