On 08/08/2013 11:07 AM, Daniel Mirsky wrote:
Hello,
We are trying to get seandroid 4.0.4 working on some custom hardware based on
the OMAP3EVM. Unfortunately, we do not have the latest Android builds working
on this hardware, so we have to use 4.0.4.
4.0.4! Wow, a blast from the past.
I have gotten SELinux and SEAndroid running, but am having trouble with app
labeling. I have tried signing with a custom key (and adding the necessary
changes to mac_permissions, keys.conf, seapp_context, and app.te) as well as
signing with the platform key provided in build/target/product/security. I have
verified the signature from the generated mac_permissions.xml matches the
signature of my app (logged with PackageManager from within the app), but it is
still listed as untrusted_app in ps.
I also tried editing mac_permissions.xml so the default entry is given an seinfo label of
"default":
<!-- All other keys -->
<default>
<seinfo value="default" />
</default>
The stanzas will default deny if you don't include any of the other
permission or allow-all tags. You should need something like:
<default>
<seinfo value="default"/>
<allow-all />
</default>
Are your stanzas constructed in a similar fashion? With either a
permission or allow-all tag?
Let me try to build a 4.0.4 version here and see what I can diagnosis.
and then edited seapp_contexts to check for seinfo="default" for untrusted_app.
user=_app seinfo=default domain=untrusted_app type=app_data_file
levelFrom=app
This resulted in all apps being started in the kernel domain.
It looks like the seinfo value is not being set. Is there a way to check the
seinfo value from adb?
The seinfo value is saved off in the ApplicationInfo object with each
package, so if you could dump that then yes. However, I don't know of a
way to do this from adb. You can try 'dumpsys' but I believe that
doesn't list the contents of the ApplicationInfo object. You might have
to put in a few print statements in the code. Back in 4.04 the logic was
directly inside the PMS code.
Is there a step I am missing? Where should I look to solve this issue?
Thanks,
Dan
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
