Thank you for your advice Mr William Robarts. Using type_transition with hint is a good idea but It did not work.
==================================================== First try. type_transition X system_data_file:dir app_1_data_file "system/dir_1"; Policy compling error happened. xxx/X.te":4:WARNING 'unrecognized character' at token '"' on line 7439: # X.te type_transition X system_data_file:dir app_1_data_file "system/dir_1"; xxx/X.te":4:ERROR 'syntax error' at token 'system' on line 7439: # X.te type_transition X system_data_file:dir app_1_data_file "system/dir_1"; checkpolicy: error(s) encountered while parsing configuration make: *** [outXXX/obj/ETC/sepolicy_intermediates/sepolicy] Error 1 ==================================================== So, I read http://selinuxproject.org/page/TypeRules#type_transition_Rule There is written "object_name ... (i.e. the last component of a path)" ==================================================== Second try. type_transition X system_data_file:dir app_1_data_file "dir_1"; But after X create "/data/system/dir_1", dir_1 still is remained as "system_data_file". ==================================================== Third try. type_transition X system_data_file:dir app_1_data_file; But after X create "/data/system/dir_1", dir_1 still is remained as "system_data_file". ==================================================== Your idea is great, but I could not apply the idea. What point should I check? Was the policy inserting wrong? I always insert policy like below 1. mmm external/sepolicy 2. m kernel 3. fastboot flash boot boot.img (I could see the type_transistion rule in policy.conf intermediate file) Thank you Best regards 2013/11/18 William Roberts <[email protected]> > > On Nov 17, 2013 11:04 AM, "Jaejyn Shin" <[email protected]> wrote: > > > > Thank you for your comments. These were very helpful. > > > > One more question, > > one application (app_1) created a directory (dir_1) under /data/system > during run-time > > and I already writed the labeling of dir_1 in the file_context. > > > > /data/system/dir_1(/.*)? u:object_r:app_1_data_file:s0 > > But the /data/system/dir_1 have still system_data_file context > > It can be changed to app_1_data_file after I run "restorecon > /data/system/dir_1". > > > > How can I label the directory which application create dynamically > during run-time without running "restorecon" ? > > Is there some useful macro? > > > > No macro, but suppose your application is running as type X > > type_transition X system_data_file:file app_1_data_file; > > But some words of caution: > This will cause all file's to be typ-transitioned if they meet this rule, > so if you have > 5 apps running in context X, you may accidentally transition too many > files. if you create > that directory under init.rc, then the context will get picked up via the > init builtin > and the proper context applied. if app_1 is creating the directory, then > you > could type transition the mkdir, and optionally give it a hint: > > No hint: > type_transition X system_data_file:dir app_1_data_file; > > With hint: > type_transition X system_data_file:dir app_1_data_file "system/dir_1"; > > Note that the hint is relative to the mount point. > > Hope it helps > > Bill > > <snip> >
