On 08/08/2013 01:42 PM, Daniel Mirsky wrote: > My stanzas do not have a permission or allow-all tag, but I would assume that > apps would still be set to the right domain without that. With the > mac_permissions.xml and seapp_contexts edits as described, ps -Z reports > u:r:kernel:s0 app_28 3201 2010 > com.android.exchange > u:r:kernel:s0 app_4 3238 2010 > android.process.media > u:r:kernel:s0 app_32 3324 2010 > com.android.providers.calendar > u:r:kernel:s0 app_19 3406 2010 > com.android.deskclock > u:r:kernel:s0 app_8 3420 2010 > com.android.calendar > u:r:kernel:s0 app_5 3459 2010 > com.android.gallery3d > u:r:kernel:s0 app_37 3473 2010 > com.android.quicksearchbox > Without the edits, seapp_contexts > user=_app domain=untrusted_app type=app_data_file levelFrom=app > interprets a blank seinfo as untrusted, and ps -Z reports; > u:r:untrusted_app:s0:c28,c256 app_28 3109 2010 > com.android.exchange > u:r:untrusted_app:s0:c10,c256 app_10 3210 2010 com.android.email > u:r:untrusted_app:s0:c37,c256 app_37 3371 2010 > com.android.quicksearchbox > u:r:untrusted_app:s0:c4,c256 app_4 3417 2010 > android.process.media > u:r:untrusted_app:s0:c19,c256 app_19 3432 2010 > com.android.deskclock > Do I need the permission or allow-all tags just to have the process domains > set correctly?
Yes; the match is performed based on the signature and allowed permissions, and the seinfo tag is only used if both checks pass. I think however that you have larger problems because you have processes running in the kernel domain, which suggests that you are missing other changes. When did you download the local_manifest.xml file and run repo sync? Because I actually deleted the seandroid-4.0.4 branches on bitbucket.org a couple of days ago since 4.0.4 is obsolete and no longer supported. I'm wondering if perhaps you cloned it while it was in the midst of being removed and got an incomplete set. Or alternatively, you forgot to build with HAVE_SELINUX=true. Or built without HAVE_SELINUX=true once and didn't do a make clobber before building again. I just pushed out the seandroid-4.0.4 branches again to bitbucket.org. You might try the following to see if it helps. cd manifests git checkout seandroid-4.0.4 git pull cp local_manifest.xml ~/seandroid-4.0.4/.repo cd ~/seandroid-4.0.4 repo sync make clobber export HAVE_SELINUX=true make -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
