Hi all, I have a question about isolating apps from each other. I use the samsung default policy.
> *From The SELinux Notebook p299:* > Use of MLS categories to isolate apps > But when I use ps -Z, all app processes are labeled like this "u:r:untrusted_app:s0" / "u:r:system_app:s0" / "u:r:samsung_app:s0". There are all in the same category (s0). That mean that any process can interact with an s0 process from a category perspective. And all processes with the same type (untrusted_app_t) and no categories (s0) can affect each other from a selinux perspective. Someone tell me that the reason maybe why all untrusted apps have no categories is to protect the remaining system resources that do have categories. But I can't find system resources that have a category. Where are MLS used? I don't know if I misunderstand something, but can any app (in the same label) affect another app (from a selinux perspective) ? If it's true, how can I isolate my own new app? (make a new policy and use type-enforcement on it ?) Thanks, Thomas Coudray
