On 10/28/2014 02:35 AM, harish kavali wrote: > Hi all, > I had created a new directory in "/data/mydir" and labelled it in the > file_contexts as > /data/mydir(/.*)? u:object_r:my_data_file:s0 > > in file.te i defined the new type as > type my_data_file, file_type, data_file_type, mlstrustedobject; > > in my type enforcement file "myapp.te" i had added the following rule > allow my_app my_data_file:dir create_dir_perms; > allow my_app my_data_file:file create_file_perms; > > > all the files are located in device/lge/hammerhead/sepolicy directory > > my seapp_contexts contains > user=_app seinfo=mydomain domain=my_app type=app_data_file levelFrom=user > > now only apps running in mydomain can be able to read & write to that > directory > but the problem is that even root user is having access to /data/mydir. > i.e through shell > in su mode i am able to write/read to the files in /data/mydir. > > now my question is can we restrict the access to only apps running in > mydomain. so that even root cannot access that directory. how can i > achieve this. > > is keeping mlstrusted object in file.te created this problem. > > > Please help me in this issue i am using seandroid 4.4.4 branch
The su domain only exists in -userdebug or -eng builds; if you perform a -user build, there will be no su domain and no su executable, and adb root will not be allowed either. The only reason you are allowed to su currently is that you are building a -userdebug or -eng build, and that is only for development purposes. It would not exist on a production device. Note that root or uid-0 is not inherently all powerful under SELinux; you have to have both uid-0 / full-caps and be in a SELinux domain that is allowed the necessary permissions in order to exercise any superuser privilege. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
