On Fri, Nov 4, 2016 at 6:47 AM, peng fei <fionapeng...@gmail.com> wrote: > 1. create an executable C program named setest to create , read and write > hello.txt. > 2. push the setest to /data. root@grouper:/data # ./setest ----this will > create hello.txt in /data > 3. add setest.te in external/sepolicy : > > setest.te > > type setest, domain, mlstrustedsubject; > type setest_exec, exec_type, file_type; > permissive setest; > domain_auto_trans(shell, setest_exec, setest) > #I think I execute the setest by ./setest , so it can be transform from > shell to setest. > auditallow setest sec_file : file rwx_file_perms;
setest is permissive, so it should audit all accesses not explicitly marked with a dontaudit. > > > 4. add new context to the file_contexts. > > /data/hello.txt u:object_r:sec_file:s0 Labels are inherited by the parent directory unless explicitly changed, thus /data/hello.txt will have the label of /data unless: 1. setest uses libselinux setfscreatcon() to change it at file creation 2. something (like setest) calls restorecon on the file path. Android best practicies dictate that services and such have their own working directory under /data, thus if you have an init.rc to make /data/setest, init builtins and relabling will ensure that /data/setest has the label in file_contexts, and thus any files underneath will inherit that label. > /data/setest u:object_r:setest_exec:s0 > > > 5. add new type in the file.te > > #/data/hello.txt > type sec_file, file_type, data_file_type; > > > 6. compile the policy and adb push sepolicy, > file_contexts,"seapp_contexts",'service_contexts','property_contexts to > /data/security/current. > > copy /selinux_version to /data/security/current. > > root@grouper:/data/security/current # setprop selinux.reload_policy 1 Dynamically loaded policy is not supported by Android anymore, so make sure your device supports this or you build and flash complete images (boot.img and system.img must be flashed). > root@grouper:/data/security/current # restorecon file_contexts This doesn't do what I think you think it does :-P. This relabels the file_contexts file to what it is in file_contexts. libselinux opens file_contexts under the hood, no arguments. If you want to relabel /data you need to restorecon -R /data or reboot the device. > reboot Reboot may not work with dynamically loaded policy because /data is mounted and automatically relabeled by init scripts and installd (for app data dirs). However, this would occur likely before the dynamically loaded policy is used for relabeling. Since I don't know the state of your tree with respect to dynamically loaded policy, its likely best to just flash full images. > > ------------------------------------------------------------------------------------------------------------------- > but the result is : > > root@grouper:/data # ls -Z > -rw------- root root u:object_r:sec_file:s0 hello.txt > -rwxrwxrwx shell shell u:object_r:system_data_file:s0 setest > > > the type of hello.txt is I expected as sec_file > but the type of setest is not setest_exec > > -------------------------------------------------------------------------------------------------------------------- > please help me, thanks advance. > > _______________________________________________ > Seandroid-list mailing list > Seandroid-list@tycho.nsa.gov > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > To get help, send an email containing "help" to > seandroid-list-requ...@tycho.nsa.gov. -- Respectfully, William C Roberts _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.