Lines Matching full:selinux
1 page.title=Customizing SELinux
29 to the Android operating system. Of course, these policies must still meet the <a href="{@docRoot}compatibility/index.html">Android Compatibility program</a> requirements and not remove the default SELinux settings.</p>
32 risk breaking the Android SELinux implementation and the applications it
35 modification to continue functioning on SELinux-enabled devices.</p>
37 <p>When embarking upon customizing SELinux, manufacturers should remember to:</p>
40 <li>Write SELinux policy for all new daemons
59 <p>SELinux uses a whitelist approach, meaning all access must be explicitly
60 allowed in policy in order to be granted. Since Android's default SELinux
62 to modify SELinux settings in any way. If they do customize SELinux settings,
71 <li>Create SELinux policies that isolate those tasks from unrelated functions.
72 <li>Put those policies in *.te files (the extension for SELinux policy source
84 SELinux compatibility going forward. In an ideal software development process,
85 SELinux policy changes only when the software model changes and not the actual
88 <p>As device manufacturers begin to customize SELinux, they should first audit
97 should supply the modifications to the default SELinux policy as a <a href="{@docRoot}source/submit-patches.html">patch</a>. If the patch is applied to the default security policy, the manufacturer will no longer need to make this change with each new Android release.</p>
101 <p>First, note SELinux is based upon the <a href="https://www.gnu.org/software/m4/manual/index.html">M4</a> computer language and therefore supports a variety of macros to save time.</p>
114 <p>This same statement can be written with SELinux <code>*_file_perms</code> macros (shorthand):</p>
171 <p>In the line <code>allow dhcp proc_net:file write;</code>, the policy states DHCP can write to specific files in <code>/proc</code>. This line demonstrates SELinux?s fine-grained file labeling. It uses the <code>proc_net</code> label to limit write access to only the files under <code>/proc/sys/net</code>.</p>
