On Oct 18, 2016 10:41 AM, "Sava Mikalački" <mikalac...@gmail.com> wrote: > > Thanks everyone for your quick answers. Yes, compilation worked once I defined the type in file.te. I will try this out and also will try with system_app, probably thats simpler as you said. Whats confusing me is that I get Permission denied exception when I try to create a file in that directory with a system app but there is no selinux avc denial before the exception, it just fires the exception and thats it, so I'm afraid if changing the sepolicy would even work.
That's the DAC issues Stephen pointed out > > 2016-10-18 16:35 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov>: >> >> On 10/18/2016 10:23 AM, William Roberts wrote: >> > On Oct 18, 2016 9:34 AM, "Sava Mikalački" <mikalac...@gmail.com >> > <mailto:mikalac...@gmail.com>> wrote: >> >> >> >> I'm trying to extend aosp file_contexts by adding a new entry for >> > /data/system/ifw. I've created a file_contexts under my vendor directory >> > structure but if I try to use the new label, build crashes with unknown >> > type. I'm >> > >> > You need to declare the type with the type keyword: >> > >> > type system_data_ifw, file_type; >> > >> > trying to enable a platform_app to write to data/system/ifw and here is >> > what I have so far: >> >> file_contexts: >> >> /data/system/ifw(/.*)? u:object_r:system_data_ifw:s0 >> >> platform_app.te: >> >> allow platform_app system_data_ifw:file create_file_perms; >> > >> > Platform applications shouldn't be creating stuff around the system, >> > they should stick to their sandbox. I cant recall offhand, but a never >> > allow I wrote might assert itself on that allow rule. >> >> Probably not since it is a new type he just defined. However, it occurs >> to me that DAC will be a problem for this use case, since platform apps >> can be assigned arbitrary UIDs and thus won't be able to pass the DAC >> checks on writing to /data/system/ifw unless you set up a group, map a >> permission to that group, assign that group to /data/system/ifw, and >> make it group-writable. Simpler if you use a system_app or some other >> fixed UID app instead, although that carries its own set of issues. >> >> > > > > -- > I have only two questions: How much and give it to me.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
