On Feb 7, 2015 7:35 AM, "Nick Kralevich" <[email protected]> wrote: > > > On Sat, Feb 7, 2015 at 7:21 AM, William Roberts <[email protected]> wrote: >> >> Didn't Stephen submit the patch for the ability to set context labels ? Granted its not a complete solution. > > > Yes, that was https://android-review.googlesource.com/58360 (and other related kernel patches) > >> >> Ideal solution IMO is doing it at build time like ext4. I looked into this some time back, and it didn't look to hard to add xattr support to ramdisk. > > > Sorry if I wasn't clear. This is exactly what I'm hoping we can do long term. Labeling at runtime is ok as a short term solution, but longer term, it feels like the selinux labels should be embedded within the ramdisk itself at build time. > >> >> Also, you're missing one use case of seclabel. Suppose that init execs sh and you want those shell transitions in some other domain, ala the defunct init_shell domain. Now suppose a service that provides a serial console (not adbd) is running shell. You dont want that console in init_shell domain, you want it in shell, so an explicit seclabel on that instance of init domain exec shell can be used. > > > I've been trying to move all of those to dedicated shell scripts, and apply a proper label to the shell script itself. A perfect example of this is a change I uploaded yesterday: https://android-review.googlesource.com/129920 . I could have used seclabel on this service to force it into it's own domain, but relying on the labeling of the shell script feels like a cleaner solution.
Yes it is, but usually what I'll do is use something like init shell as a temporary stop gap, while I move everything out to separate executables. > > > >> >> On Feb 7, 2015 6:55 AM, "Nick Kralevich" <[email protected]> wrote: >>> >>> Currently, Android's init.rc supports a seclabel entry for services. This allows you to specify an SELinux domain for a service, without relying on the transition rules defined by policy. >>> >>> One of the primary reasons why the seclabel entries exist is because the root filesystem doesn't support labeling. Labeling is only done on /system, not on rootfs. As a result, we can't rely on SELinux's built in domain transition code. >>> >>> Does anyone recall why the root filesystem doesn't support labeling? Is it just something which hasn't been implemented yet, or some more fundamental problem? >>> >>> We support setting the traditional file permissions on rootfs files, but not selinux labels, which seems odd to me. >>> >>> This came up in the context of https://android-review.googlesource.com/129923 >>> >>> -- >>> Nick Kralevich | Android Security | [email protected] | 650.214.4037 >>> >>> _______________________________________________ >>> Seandroid-list mailing list >>> [email protected] >>> To unsubscribe, send email to [email protected]. >>> To get help, send an email containing "help" to [email protected]. > > > > > -- > Nick Kralevich | Android Security | [email protected] | 650.214.4037
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
