Stephen You are right. I was trying to say " only selected few processes can mount no-sdcard_type of filesystem.", it was a typo.
In our fs_use, we add this line fs_use_xattr ecryptfs u:object_r:labeledfs:s0; Many thanks Joe ________________________________________ From: Stephen Smalley <[email protected]> Sent: Friday, October 16, 2015 5:10 AM To: Dong Zhou Cc: [email protected] Subject: Re: CTS SELinux noncompliance Actually, that neverallow only restricts the ability to mount filesystems other than those with sdcard_type (fs_type -sdcard_type means all types with fs_type except those with sdcard_type). What is your configuration for ecryptfs (fs_use or genfs_contexts entry)? On Fri, Oct 16, 2015 at 5:41 AM, Dong Zhou <[email protected]> wrote: > Hi, SE gurus > > > I have a question about CTS neverallow noncompliance. > > In domain.te, we have this statement > > neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type > -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; > > which basically saying only selected few processes can mount sdcard_type of > filesystem. > > However, we have a real need to for our device to mount ecryptfs in one of > our native processes. > > To make our process work, we need to tweak the neverallow, which will > trigger CTS noncompliance. > > > How should we handle this type of scenario? Please kindly advise. > > > Thanks > > > Joe > > > > > Nothing in this message is intended to constitute an electronic signature > unless a specific statement to the contrary is included in this message. > > Confidentiality Note: This message is intended only for the person or entity > to which it is addressed. It may contain confidential and/or privileged > material. Any review, transmission, dissemination or other use, or taking of > any action in reliance upon this message by persons or entities other than > the intended recipient is prohibited and may be unlawful. If you received > this message in error, please contact the sender and delete it from your > computer. > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. Nothing in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message. Confidentiality Note: This message is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged material. Any review, transmission, dissemination or other use, or taking of any action in reliance upon this message by persons or entities other than the intended recipient is prohibited and may be unlawful. If you received this message in error, please contact the sender and delete it from your computer. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
