On 2016/1/5 0:19, Stephen Smalley wrote: > On 01/03/2016 10:06 PM, weiyuan wrote: >> The other system likes an embedded Linux distribution. >> >> These system have separated exec files in a different partition, but some of >> them may have the same filename. >> >> As your suggestion, I think it's a good way that simply set process in the >> different system have different domains. >> Then, compile those policies in both systems into a single one sepolicy file. >> >> But it seems that the non-android system will have to follow Android's >> neverallow. >> Is there any way that can let Android system get pass the CTS test, and >> meanwhile the other system can add >> some policies that may break Android's neverallow. > > Do you need all of the systems running simultaneously? If not, then you > could keep the different policies separate and only load the appropriate > policy for the currently booted environment. > > If you do need them all to run simultaneously, then the only way I can see to > avoid a problem with the neverallow checking is to virtualize the policy in > some manner, either by virtualizing the entire kernel (i.e. run multiple > Linux kernels each with its own policy on a hypervisor), or by introducing > some kind of policy namespace support within SELinux itself. The latter is > not a trivial undertaking. > > > . >
I do need run them simultaneously. Thanks a lot. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
