On 09/22/2015 09:55 AM, Inamdar Sharif wrote: > So adding the below line should work > > +user=system seinfo=platform domain=abc_app type=app_data_file levelFrom=user > > I have defined abc_app domain.
You need a new seinfo value to distinguish this specific app from any other system app. You do that via mac_permissions.xml. > > -----Original Message----- > From: Stephen Smalley [mailto:[email protected]] > Sent: Tuesday, September 22, 2015 7:14 PM > To: Inamdar Sharif; [email protected] > Subject: Re: Restrict access to a particular system app > > On 09/22/2015 06:01 AM, Inamdar Sharif wrote: >> Hi Guys, >> >> >> >> How do I restrict the access of a particular dev/ node to only a >> particular system app , other system app should not be able to access it?? >> >> >> >> For example, >> >> If I have node dev/abc , system apps as A, B, C. >> >> So I want system app A should only be able to access dev/abc >> >> >> >> System app B and C should not be able to access that node. >> >> >> >> So how do I prevent this scenario using SELinux?? > > You assign a specific type to the device node (i.e. define a type for it in > your device/nvidia/<board>/sepolicy/device.te file, assign it to the /dev > node in your file_contexts file) and assign a specific domain to the system > app that is allowed access (i.e. define a new domain for the authorized app, > assign a specific seinfo value based on signer and package in your > mac_permissions.xml file, assign a specific domain and type based on seinfo > in your seapp_contexts file). > > Then you can further add a neverallow rule to ensure that no other domains > can ever access the device node. > > ----------------------------------------------------------------------------------- > This email message is for the sole use of the intended recipient(s) and may > contain > confidential information. Any unauthorized review, use, disclosure or > distribution > is prohibited. If you are not the intended recipient, please contact the > sender by > reply email and destroy all copies of the original message. > ----------------------------------------------------------------------------------- > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
