On 09/22/2015 10:03 AM, Stephen Smalley wrote: > On 09/22/2015 09:55 AM, Inamdar Sharif wrote: >> So adding the below line should work >> >> +user=system seinfo=platform domain=abc_app type=app_data_file levelFrom=user >> >> I have defined abc_app domain. > > You need a new seinfo value to distinguish this specific app from any > other system app. You do that via mac_permissions.xml.
Actually, since it is platform-signed, I suppose you could use a name= field in seapp_contexts instead and not worry about mac_permissions.xml, e.g. user=system seinfo=platform name=com.nvidia.yourappname domain=abc_app type=app_data_file levelFrom=user > >> >> -----Original Message----- >> From: Stephen Smalley [mailto:[email protected]] >> Sent: Tuesday, September 22, 2015 7:14 PM >> To: Inamdar Sharif; [email protected] >> Subject: Re: Restrict access to a particular system app >> >> On 09/22/2015 06:01 AM, Inamdar Sharif wrote: >>> Hi Guys, >>> >>> >>> >>> How do I restrict the access of a particular dev/ node to only a >>> particular system app , other system app should not be able to access it?? >>> >>> >>> >>> For example, >>> >>> If I have node dev/abc , system apps as A, B, C. >>> >>> So I want system app A should only be able to access dev/abc >>> >>> >>> >>> System app B and C should not be able to access that node. >>> >>> >>> >>> So how do I prevent this scenario using SELinux?? >> >> You assign a specific type to the device node (i.e. define a type for it in >> your device/nvidia/<board>/sepolicy/device.te file, assign it to the /dev >> node in your file_contexts file) and assign a specific domain to the system >> app that is allowed access (i.e. define a new domain for the authorized app, >> assign a specific seinfo value based on signer and package in your >> mac_permissions.xml file, assign a specific domain and type based on seinfo >> in your seapp_contexts file). >> >> Then you can further add a neverallow rule to ensure that no other domains >> can ever access the device node. >> >> ----------------------------------------------------------------------------------- >> This email message is for the sole use of the intended recipient(s) and may >> contain >> confidential information. Any unauthorized review, use, disclosure or >> distribution >> is prohibited. If you are not the intended recipient, please contact the >> sender by >> reply email and destroy all copies of the original message. >> ----------------------------------------------------------------------------------- >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. >> > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
