thanks.. I am traversing file by file in each directory and call setfilecon2 for each file. I was wondering that when a new app is installed, then packagemanager service also calls the same api from install method in command.c, so do we give some permission or something for that ?
I fail at "rc = setfilecon(pkgdir, ctx_str);" in libselinux/src/android.c and return value which I get is -1. On Fri, Jun 13, 2014 at 7:56 PM, Stephen Smalley <[email protected]> wrote: > On 06/13/2014 10:16 AM, Pankaj Kushwaha wrote: > > Hi, > > > > I am trying to call an api selinux_android_setfilecon2(pkgdir, pkgname, > > seinfo, uid) to relabel files for all the packages present on my device. > > > > After boot i fetch no of apps installed on device in SystemServer.java. > > Call a method of PackagmanagerService through AIDL interface. > > This method in PackagmanagerService calls a method in Installer.java > > which I have written, that is defined in > > frameworks/base/cmds/installd/command.c (following same calling > > mechanism as followed by mInstaller.install(packageName, uid, uid, > > seinfo) when a new app is installed). > > > > My problem is this, that when install method calls > > selinux_android_setfilecon2, it relabels successfully, but when I do it > > from my method selinux_android_setfilecon2 returns -1 and my files are > > not re-labeled. > > > > I also tried in permissive mode, so that proves that I am not being > > stopped by MAC. > > But even DAC shouldn't stop me as already this files calls setfilecon2 > > api successfully. > > Can you please help me over this, that how can I call this api ? > > We already have a mechanism for this purpose in AOSP master (and > back-ported to our seandroid-4.4.3 branch). > > frameworks/base/services/java/com/android/server/pm/PackageManagerService.java > calls mInstaller.restoreconData() for each package. Installer.java > restoreconData invokes the installd restorecondata command. > frameworks/native/cmds/installd/commands.c:restorecon_data() calls > selinux_android_restorecon_pkgdir() on the package directory for the > primary user and any secondary users. This should happen on first boot > or upgrade; the PMS only does it if there is no /data/system/seapp_hash > file or if a hash of the seapp_contexts file no longer matches the > contents of that file (i.e. seapp_contexts has changed since the last > such restorecon). > > With regard to why it fails for you, note that setting security.selinux > on a file that is owned by a different UID requires CAP_FOWNER. > > Also, setfilecon/setfilecon2 only relabels a single file; you want > restorecon with the appropriate flags to recursively relabel as in our > approach above. > >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
