Lines Matching full:selinux
21 Android begins supporting Security-Enhanced Linux (SELinux), a tool for applying
22 access control policies. SELinux enhances Android security, and contributions to
25 href="http://source.android.com/">source.android.com</a>. With SELinux, Android
30 <p>In this release, Android includes SELinux in permissive mode and a
36 software and SELinux policies before enforcing them.</p>
38 <h2 id="background">Background</h2> <p>Used properly, SELinux greatly limits the
39 potential damage of compromised machines and accounts. When you adopt SELinux,
44 <p>SELinux provides a mandatory access control (MAC) umbrella over traditional
48 that user can write to every raw block device. However, SELinux can be used to
54 address them with SELinux.</p>
56 <h2 id="implementation">Implementation</h2> <p>Android’s initial SELinux
61 <p>SELinux is launching in permissive mode on Android to enable the first phase
63 SELinux now.</p>
76 <p>Those files when compiled comprise the SELinux kernel security policy and
94 <p>After rebuilding your device, it is enabled with SELinux. You can now either
95 customize your SELinux policies to accommodate your own additions to the Android
104 program</a> requirements and not remove the default SELinux settings.</p>
107 risk breaking the Android SELinux implementation and the applications it
110 modification to continue functioning on SELinux-enabled devices.</p>
116 <p>SELinux uses a whitelist approach, meaning it grants special privileges based
138 <p>Create SELinux
141 <p>Put those policies in *.te files (the extension for SELinux policy source
145 <p>Release your SELinux implementation in permissive
152 SELinux compatibility going forward. In an ideal software development process,
153 SELinux policy changes only when the software model changes and not the actual
156 <p>As device manufacturers begin to customize SELinux, they should first audit
165 others, it should supply the modifications to the default SELinux policy as a <a
171 consider when crafting your own software and associated SELinux policies:</p>
180 will never traverse a symlink, you can prohibit it from doing so with SELinux.</p>
188 <p>With SELinux, you can identify those files as system server data files.
205 customize the SELinux policy settings. See the <em>Customization</em> section
207 SELinux policy and make the minimum possible set of changes to address their
208 additions to Android. Existing Android SELinux policy files are found in the
213 <p>Android upgraded its SELinux policy version to allow the SELinux mode to be
218 setting is made at the top of each SELinux policy source (*.te) file.</p>
220 <p>Here are the files you must create or edit in order to customize SELinux:</p>
223 <p><em>New SELinux policy source (*.te) files</em> - Located in the
226 existing policy files during compilation into a single SELinux kernel policy
262 existing SELinux settings and into a single security policy. These overrides add
269 their SELinux implementations thoroughly. As manufacturers implement SELinux,
273 <p>Once applied, make sure SELinux is running in the correct mode on the device
276 <p>This will print the SELinux mode: either Disabled, Enforcing, or Permissive.
282 and viewable locally on the device. Manufacturers should examine the SELinux output
287 components are in violation of SELinux policy. Manufacturers can then repair
288 this bad behavior, either by changes to the software, SELinux policy, or
297 <p>Then run the SELinux-enabled devices through the <a
305 <code>dmesg</code>, you can consider your SELinux implementation compatible.</p>
310 encouraged to work with their Android account managers to analyze SELinux
312 common manufacturer additions in its default SELinux policy. For more
