On 10/18/2016 10:41 AM, Sava Mikalački wrote: > Thanks everyone for your quick answers. Yes, compilation worked once I > defined the type in file.te. I will try this out and also will try with > system_app, probably thats simpler as you said. Whats confusing me is > that I get Permission denied exception when I try to create a file in > that directory with a system app but there is no selinux avc denial > before the exception, it just fires the exception and thats it, so I'm > afraid if changing the sepolicy would even work.
What's the ownership and mode of the directory? > > 2016-10-18 16:35 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov > <mailto:s...@tycho.nsa.gov>>: > > On 10/18/2016 10:23 AM, William Roberts wrote: > > On Oct 18, 2016 9:34 AM, "Sava Mikalački" <mikalac...@gmail.com > <mailto:mikalac...@gmail.com> > > <mailto:mikalac...@gmail.com <mailto:mikalac...@gmail.com>>> wrote: > >> > >> I'm trying to extend aosp file_contexts by adding a new entry for > > /data/system/ifw. I've created a file_contexts under my vendor directory > > structure but if I try to use the new label, build crashes with unknown > > type. I'm > > > > You need to declare the type with the type keyword: > > > > type system_data_ifw, file_type; > > > > trying to enable a platform_app to write to data/system/ifw and here is > > what I have so far: > >> file_contexts: > >> /data/system/ifw(/.*)? > u:object_r:system_data_ifw:s0 > >> platform_app.te: > >> allow platform_app system_data_ifw:file create_file_perms; > > > > Platform applications shouldn't be creating stuff around the system, > > they should stick to their sandbox. I cant recall offhand, but a never > > allow I wrote might assert itself on that allow rule. > > Probably not since it is a new type he just defined. However, it occurs > to me that DAC will be a problem for this use case, since platform apps > can be assigned arbitrary UIDs and thus won't be able to pass the DAC > checks on writing to /data/system/ifw unless you set up a group, map a > permission to that group, assign that group to /data/system/ifw, and > make it group-writable. Simpler if you use a system_app or some other > fixed UID app instead, although that carries its own set of issues. > > > > > > -- > I have only two questions: How much and give it to me. _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
