On 03/28/2014 02:42 PM, Soteris Demetriou wrote: > Hi, > > I was wondering why AOSP moderators don't want the boolean > functionality. Any insight on that would be much appreciated. > > Also does anyone know what do I need to do to re-enable booleans on AOSP > branch 4.4? > > I created the bools file defining my booleans, in external/sepolicy, and > added the bools in Android.mk. However when I call > SELinux.setBooleanValue() this fails. I don't get any messages on dmesg > or logcat regarding that.
DAC would prevent an app from setting booleans normally; the defaults are that only root can write to /sys/fs/selinux/booleans/* and /sys/fs/selinux/commit_pending_bools. In the seandroid and seandroid-4.x branches of our repositories, we had patches to support chown -R as an init built-in command and to run chown -R system system /sys/fs/selinux/booleans and /sys/fs/selinux/commit_pending_bools so that the system_server and optionally system UID apps could set booleans, still subject to SELinux policy of course. But that will likely go away at some point as we have also eliminated our usage of booleans in our policy. AOSP generally doesn't want policy variability/customizability as I understand it, both because it could pose compatibility problems and because it could undermine the default security goals being enforced via SELinux in AOSP itself.
