Thanks for the clarification. Looks like I was wrong when I thought the email app is signed by platform key. I actually don't want to use my own key to sign the app, just leave it using the release/testkey key.
I have tried again using the seinfo=release with my specific domain for email app: user=_app name=com.android.email seinfo=release domain=email_app type=email_app_data_file Now the email app in my nexus 7 is assigned using my domain, instead of the general release_app domain. BTW, I am just curious why not provide fine-grained domain for each app. Are the current platform_app, release_app domains too coarse-grained? Thank you very much! Have a nice day! ---- Looking forward to your reply Best Regards! Sincerely yours, *Ruowen Wang* **Graduate Student Department of Computer Science North Carolina State University E-mail: [email protected] On Wed, Oct 16, 2013 at 3:49 PM, William Roberts <[email protected]>wrote: > Also, if your signing it with your own key, you need to either extract the > pem file (public key) from the app and set that up in keys.conf. > > Their is a decent readme in external/sepolicy/README > > The relevant files are: > keys.conf : maps a pem file to an arbitrary tag in mac_permissions.xml > (look for signature=@RELEASE). All this does is at build time jam the > public key into that spot > mac_pemrissions.xml : maps a signing key to an seinfo string > seapp_contexts : maps a set of inputs (one of them being seinfo) into the > runtime domain and app installation directory types... > > It can be a bit confusing traversing this in the beginning. > > Bill > > > > > > > > On Wed, Oct 16, 2013 at 5:40 AM, rpcraig <[email protected]> wrote: > >> On 10/16/2013 08:09 AM, rpcraig wrote: >> >> On 10/15/2013 11:11 PM, Ruowen Wang wrote: >> >> Hi SEAndroid, >> >> I am trying to see if it is possible to assign specific app using >> specific domain name in seapp_context. For example, >> >> user=_app name=com.android.email seinfo=platform domain=email_app >> type=email_app_data_file >> >> I want to assign the email app using email_app domain, but still using >> platform key and seinfo=platform. Is this possible? I tried a little bit. >> But it didn't work. If I want to make it work, do I need to modify some >> code in selinux_android_setcontext? >> >> Thanks a lot, >> Ruowen >> >> >> If your using the AOSP email app then I believe that is signed with the >> release/testkey key which would make the seinfo = release. Check out >> external/sepolicy/mac_permissions.xml for clarification. >> >> >> I would also make sure that the app is being installed with the correct >> seinfo label on install. logcat should help with this. You did mention you >> are signing with a different key so your output should look slightly >> different then the following. >> >> >> > adb lolcat | grep seinfo | grep email >> I/SELinuxMMAC( 391): package (com.android.email) installed with >> seinfo=release >> > > > > -- > Respectfully, > > William C Roberts > >
