On 08/08/2013 11:07 AM, Daniel Mirsky wrote: > Hello, > > We are trying to get seandroid 4.0.4 working on some custom hardware based on > the OMAP3EVM. Unfortunately, we do not have the latest Android builds working > on this hardware, so we have to use 4.0.4. > > I have gotten SELinux and SEAndroid running, but am having trouble with app > labeling. I have tried signing with a custom key (and adding the necessary > changes to mac_permissions, keys.conf, seapp_context, and app.te) as well as > signing with the platform key provided in build/target/product/security. I > have verified the signature from the generated mac_permissions.xml matches > the signature of my app (logged with PackageManager from within the app), but > it is still listed as untrusted_app in ps. > > I also tried editing mac_permissions.xml so the default entry is given an > seinfo label of "default": > <!-- All other keys --> > <default> > <seinfo value="default" /> > </default> > > and then edited seapp_contexts to check for seinfo="default" for > untrusted_app. > user=_app seinfo=default domain=untrusted_app type=app_data_file > levelFrom=app > This resulted in all apps being started in the kernel domain. > > It looks like the seinfo value is not being set. Is there a way to check the > seinfo value from adb? > Is there a step I am missing? Where should I look to solve this issue?
The fact that you have apps running in the kernel domain suggests that you have much bigger problems than just seinfo tagging. Like maybe you never loaded a policy at all or if you did, you never transitioned to the init domain via the setcon statement in init.rc. Here's a random guess: you pulled down a recent external/sepolicy with your 4.0.4 checkout, and current external/sepolicy builds policy version 26, but your kernel doesn't support policy version 26 and therefore policy couldn't be loaded. You need at least kernel >= 3.0 to use policy version 26. Otherwise you need to force the policy version back to 24 via POLICYVERS=24 in your environment or in the external/sepolicy/Android.mk file. But please note that seandroid 4.0.4 is not supported by us any longer. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
