On Fri, May 19, 2017 at 6:09 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Fri, 2017-05-19 at 16:52 +0900, HAN wrote: >> Dear All, >> >> I'm doing a SEAndroid in my company and have one question. >> Our developers add SEAndroid policies for their own function oftenly. >> >> However, they don't know whether the policies are violated neverallow >> or not. >> Since our environment is slows to build kernel, I want to suggest a >> check their policies before pushing to our repository. >> >> So I want to apply a system which verifies entered policies and >> return the neverallow checking result. >> >> Is there any tool for this? >> >> I've checked a "sepolicy-analyze" tool, but looks like it checks a >> sepolicy binary >> for checking neverallow, not raw allow rules. >> >> >> Any response will be greatly appreciated and hope you have a great >> day. > > Sorry, I don't follow. All they have to do is test building the > policy; any neverallow failures will be caught at build time. > > mmm -B system/sepolicy > >
The only problem with Stephen's approach is it won't build dependencies, so depending on how you have it set up, mmma might work better. mmma -B system/sepolicy You could automate your CI system to do this for patches that affect the SEAndroid configuration. You want to ensure that chnages to seapp_contexts and file_contexts are run, as checkfc and check_seapp have been instrumented to check certain things.