On 06/27/2013 11:57 AM, Ronan TROTIN wrote:
Hi,
To demonstrate the possibilities of selinux/seforandroid to my company i
wanted to make a demo app which create files on sdcard and then show
that any other app is unable to access them.
I made my own types for the app process and app data files (copying on
what you did with the platform apps), used seapp_contexts to set all of
this on execution.
I added "file_type_auto_trans(corporate_app, sdcard_type,
corporate_file)" to my policy but then the created file stay with
sdcard_internal label.
I don't understand why. :\
What's the best practice to set this usecase?
Conventional sdcard is a vfat filesystem (even for the internal one,
layered via fuse on top of ext4), and thus does not support per-file
security labeling, only a single security context for the vfat mount.
I think the GS4/KNOX approach was to mount a virtual sdcard for each
container, in which case you can label each vfat mount with a separate
context using the context= mount option. Or you could just format the
sdcard with an ext4 filesystem and have real per-file labeling.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
