On 8/16/23 15:26, enh wrote: >> I long ago came to the conclusion I can't make a system secure, all I can do >> is >> annoy attackers into choosing a less vexing target. But I don't want to the >> the >> same to users or developers, so it's always a balancing act. > > meh, if your selinux labels are wrong, stuff stops working. you can > either fix it yourself or `setenforce 0` if you _know_ what you're > doing isn't compatible with selinux rules for actual shipping systems > and don't care because you're just testing a thing. ...> fwiw, i wouldn't assume it's actually ever been tested? i'd imagine > most [OS] developers are doing `adb sync` instead anyway. any `cp -r` > action is most likely just a quick test in /data/local/tmp --- which > is so useful _because_ it's the wild west where many of the usual > rules don't apply (but only the root or shell users can do anything > with it).
Speaking of tested, what does a good selinux test _look_ like here? The ls -Z stuff is using regexes. I have a Fedora 36 ISO image that says: $ ls -Z . unconfined_u:object_r:user_home_t:s0 Desktop unconfined_u:object_r:user_home_t:s0 Documents unconfined_u:object_r:user_home_t:s0 Downloads unconfined_u:object_r:audio_home_t:s0 Music unconfined_u:object_r:user_home_t:s0 Pictures unconfined_u:object_r:user_home_t:s0 Public unconfined_u:object_r:user_home_t:s0 Templates unconfined_u:object_r:user_home_t:s0 Videos And I don't know what any of that means? (I always delete all the directories except "Downloads" immediately on any new install, and only keep that one because every web browser uses it.) (I still haven't managed to build a vanilla Android system that boots under vanilla kvm. Did https://www.xda-developers.com/microdroid-stripped-down-android-virtual-machines/ ever turn into a thing?) Anyway, I've been poking at the whole tests-under-mkroot thing so I can run tests as root under a known environment for things like "yes the host system and this filesystem are capable of doing selinux but haven't got any weird rules that make stuff go 'boing' by themselves", but setting up a hand-crafted test environment doesn't help if I don't know what success looks like. I'm hoping I can "setprop" something, cp -a, and then "getprop" to see that it got propagated successfully? I suppose I can just copy one of the Fedora labels... Rob _______________________________________________ Toybox mailing list Toybox@lists.landley.net http://lists.landley.net/listinfo.cgi/toybox-landley.net