On Jul 7, 2016 07:57, "Sameer Joshi" <[email protected]> wrote: > > Hi All, > > I have a use-case where the root user access
Selinux has no notion of Linux uids like root. So this question doesn't quite make sense. Selinux is a white list, so if you don't add permissions it wont be allowed. Also, most apps have MLS enabled, so theirs more sandboxing than the norm. Is this root user process an init service? If so, unless it's a mlstrustedsubject and type enforcement allow rules allow access, it wont be able to access the data directory with the exception of these where only type enforcement allow rules apply: System_app NFC Bluetooth Radio Shell in Android needs to be restricted to not access one particular file in /data/data/<package_name_of_app> directory. You can label applications using mac_permissions.xml to map a key to an seinfo string and then using seapp_contexts to then label the application and it's data directory. More information is in the readme and seapp_contexts files. > > The <package_name_of_app> is something that I am not aware of at the build time and will know it only during runtime. Key (seinfo) will work, you always want to use key with a package name. Just package name is not safe and iirc check_seapp will complain during the build and some CTS check will fail. > > How do I do it if I need to add this permission runtime? Is it possible using SELinux? Sepolicy is static with the Android image, so all policy must be present in the build. Almost anything is possible with SELinux. More details would help me provide a more detailed response. > > Regards, > > Sameer Joshi > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to [email protected].
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
