On Aug 8, 2013, at 2:19 PM, Stephen Smalley wrote: > On 08/08/2013 01:42 PM, Daniel Mirsky wrote: >> My stanzas do not have a permission or allow-all tag, but I would assume >> that apps would still be set to the right domain without that. With the >> mac_permissions.xml and seapp_contexts edits as described, ps -Z reports >> u:r:kernel:s0 app_28 3201 2010 >> com.android.exchange >> u:r:kernel:s0 app_4 3238 2010 >> android.process.media >> u:r:kernel:s0 app_32 3324 2010 >> com.android.providers.calendar >> u:r:kernel:s0 app_19 3406 2010 >> com.android.deskclock >> u:r:kernel:s0 app_8 3420 2010 >> com.android.calendar >> u:r:kernel:s0 app_5 3459 2010 >> com.android.gallery3d >> u:r:kernel:s0 app_37 3473 2010 >> com.android.quicksearchbox >> Without the edits, seapp_contexts >> user=_app domain=untrusted_app type=app_data_file levelFrom=app >> interprets a blank seinfo as untrusted, and ps -Z reports; >> u:r:untrusted_app:s0:c28,c256 app_28 3109 2010 >> com.android.exchange >> u:r:untrusted_app:s0:c10,c256 app_10 3210 2010 com.android.email >> u:r:untrusted_app:s0:c37,c256 app_37 3371 2010 >> com.android.quicksearchbox >> u:r:untrusted_app:s0:c4,c256 app_4 3417 2010 >> android.process.media >> u:r:untrusted_app:s0:c19,c256 app_19 3432 2010 >> com.android.deskclock >> Do I need the permission or allow-all tags just to have the process domains >> set correctly? > > Yes; the match is performed based on the signature and allowed > permissions, and the seinfo tag is only used if both checks pass. > > I think however that you have larger problems because you have processes > running in the kernel domain, which suggests that you are missing other > changes. > > When did you download the local_manifest.xml file and run repo sync? > Because I actually deleted the seandroid-4.0.4 branches on bitbucket.org > a couple of days ago since 4.0.4 is obsolete and no longer supported. > I'm wondering if perhaps you cloned it while it was in the midst of > being removed and got an incomplete set. > > Or alternatively, you forgot to build with HAVE_SELINUX=true. Or built > without HAVE_SELINUX=true once and didn't do a make clobber before > building again. > > I just pushed out the seandroid-4.0.4 branches again to bitbucket.org. > You might try the following to see if it helps. > cd manifests > git checkout seandroid-4.0.4 > git pull > cp local_manifest.xml ~/seandroid-4.0.4/.repo > cd ~/seandroid-4.0.4 > repo sync > make clobber > export HAVE_SELINUX=true > make > >
I don't remember when I pulled down this set of source, but it was over a week ago. However, I may have pulled down a branch recently, so I will give that a try. I did make sure to set HAVE_SELINUX=true. I think the problem is in my init.rc - looks like it was overwritten by TI's board specific init.rc and the problems are coming from there. I will try to merge the two and see what changes. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
