Yes, agree with you.
In my opinion, this project provide a way to update sepolicy dynamically
without OTA.
This way could be used to push different sepolicy to different people who have
same devices, which sounds good to the BYOD market.
The data partition is not secure enough for store new sepolicy ??maybe a TPM is
better.
berg
------------------ ???????? ------------------
??????: "Stephen Smalley";<[email protected]>;
????????: 2015??10??7??(??????) ????1:14
??????: "??????"<[email protected]>;
"seandroid-list"<[email protected]>;
????: Re: Wrong: policy updates
On 10/05/2015 03:12 AM, ?????? wrote:
> HI,
> I have some problemfor policy updates.
>
> 1.Issue
> Issue 1
> After select Reload Kernel Policies
> I check adb shell dmesg and logcat, but NOT see policy was reloaded from
> /data/security/current/sepolicy
> But /data/security directory have /current
> Issue 2
> After select Reload Kernel Policies
> adb shell logcat show
>>>I/ConfigUpdateInstallReceiver( 593): Couldn't find current metadata,
>>>assuming first update
>>>I/ConfigUpdateInstallReceiver( 593): Failed to read current content,
>>>assuming first update!
>>>I/ConfigUpdateInstallReceiver( 593): Found new update, installing...
>>>I/ConfigUpdateInstallReceiver( 593): Installation successful
>>>I/SELinuxPolicyInstallReceiver( 593): Applying SELinux policy
>
> 2.Information
> AOSP: android-5.1.1_r14
> SE for Android modifications: seandroid-5.1.1
> Devices: ASUS Nexus7 II
>
> 3.Goal
> I want to modify external/sepolicy/shell.te
> adb shell can not access data/local/tmp directory
>
> 4.Step
> step 1
> Delete allow
>>># Access /data/local/tmp.
>>># allow shell shell_data_file:dir create_dir_perms;
>>># allow shell shell_data_file:file create_file_perms;
>>># allow shell shell_data_file:file rx_file_perms;
>>># allow shell shell_data_file:lnk_file create_file_perms;
> step 2
>>>mmm external/sepolicy
> or
>>>make sepolicy
> step 3
> Using tool buildsebundle
>>>buildsebundle -k build/target/product/security/testkey.pk8 -v 2 --
>>>out/target/product/flo/root/*
>>>out/target/product/flo/system/etc/security/mac_permissions.xml
>>>adb push selinux_bundle.zip /sdcard/
> step 4
> Run SEAdmin
> select Kernel and MMAC Policy under POLICY UPDATE OPTIONS, and select Reload
> Kernel Policies
>
> Reference
> website??http://seandroid.bitbucket.org/PolicyUpdates.html#policy-updates
I got this output in logcat:
D/SEAdminConfigUpdateFragment( 3314): Loading of policy bundle requested.
D/SEAdminConfigUpdateFragment( 3314): android.intent.action.UPDATE_SEPOLICY
being broadcast. Intent { act=android.intent.action.UPDATE_SEPOLICY
dat=content://com.android.seandroid_admin.fileprovider/policy/selinux_bundle
(has extras) } Extras:
Bundle[{SIGNATURE=bbZeeQVk4UaRaPjwtrfAx7VelPM9yW+vgibqLMb7f8VUectRa1LjYrEAuF7joKez1VnIks1Bju/Q/zylxczKnMSIxF/y3u0+yNID3ZXoCeatnoMovpyCQkuFQLcxqiV1QoIxGI2AsDyb8woAR+INopZ7xkVTsBQNciGEbFD8wM4mwOAstt6QtZp4XHYLASNw7IZkIgw2EO4SN1S5gQgKuXj6MaoofkQvnrJIdSIiuFN50FWedYY4w11PNoGbxXQmbUm2kKGa/D/17GaPMzDIz8GjNpMf1IXllQUvm2915q8pxASu8s8N5dhtAC/mETIKt3bvvg3ATnN0TC55DczKZQ==,
REQUIRED_HASH=NONE, VERSION=2}]
I/ConfigUpdateInstallReceiver( 1615): Couldn't find current metadata, assuming
first update
I/ConfigUpdateInstallReceiver( 1615): Failed to read current content, assuming
first update!
I/ConfigUpdateInstallReceiver( 1615): Found new update, installing...
I/ConfigUpdateInstallReceiver( 1615): Installation successful
I/SELinuxPolicyInstallReceiver( 1615): Applying SELinux policy
I/auditd ( 280): type=1403 audit(0.0:19): policy loaded auid=4294967295
ses=4294967295
And this in dmesg:
<7>[ 452.832573] SELinux: 2048 avtab hash slots, 4956 rules.
<7>[ 452.832603] SELinux: 1 users, 2 roles, 488 types, 0 bools, 1 sens, 1024
cats
<7>[ 452.832612] SELinux: 87 classes, 4956 rules
<38>[ 453.135294] type=1403 audit(5438452.229:21): policy loaded
auid=4294967295 ses=4294967295
So it seemed to work for me.
That said, the policy update mechanism is deprecated in AOSP (the code is still
there, but the default policy
no longer permits it to work), and Android 6.0 is available in AOSP, so I think
both policy
updates and seandroid-5.1.1 are obsolete.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected]._______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
