On Wed, 2017-06-14 at 11:03 +0800, peng fei wrote: > I want to add a context '/data/data/com.UCMobile.intl/databases(/.*)? > u:object_r:ub_data_file :s0 ' in the file_context. > And only allow UCMobile read and write > /data/data/com.UCMobile.intl/databases. > > Can it take effect? > > Please help me. Thanks advance.
App data directories are labeled based on seapp_contexts, not file_contexts. You would likely need/want to add an entry to mac_permissions.xml for UCMobile to map its certificate and package name to a unique seinfo tag and add the path to the certificate to keys.conf, and add an entry to seapp_contexts to assign a distinct domain and type for apps with that seinfo tag. seapp_contexts also has a name= specifier that can be used to identify the package name, but that always needs to be paired with a seinfo= tag to ensure that it was signed with an appropriate certificate. Generally a single type is assigned to the entire app data directory, not just to a particular subdirectory like databases. You could perhaps use the path= specifier in seapp_contexts to limit the type to the databases subdirectory, but I doubt that is really what you want (and it requires your app or whatever creates the directory to call setfscreatecon() before mkdir() or restorecon() after mkdir() to assign that type to the directory). Much easier to just apply ub_data_file or whatever type it is to all files under /data/data/com.UCMobile.intl. An alternative to introducing a distinct domain/type would just be to enable levelFrom=all, at least for this particular app, which would enable a unique category set for the app and thereby prevent any other app from opening its files.