Home | History | Annotate | Download | only in selinux 
      1 <html devsite><head>
      2     <title> SELinux</title>
      3     <meta name="project_path" value="/_project.yaml"/>
      4     <meta name="book_path" value="/_book.yaml"/>
      5   </head>
      6   <body>
      7   <!--
      8       Copyright 2017 The Android Open Source Project
      9 
     10       Licensed under the Apache License, Version 2.0 (the "License");
     11       you may not use this file except in compliance with the License.
     12       You may obtain a copy of the License at
     13 
     14           http://www.apache.org/licenses/LICENSE-2.0
     15 
     16       Unless required by applicable law or agreed to in writing, software
     17       distributed under the License is distributed on an "AS IS" BASIS,
     18       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     19       See the License for the specific language governing permissions and
     20       limitations under the License.
     21   -->
     22 
     23 <p>SELinux  SELinux  Android  SELinux <a href="/security/selinux#supporting_documentation"></a></p>
     24 
     25 <h2 id="summary_of_steps"></h2>
     26 
     27 <p> Android  SELinux </p>
     28 
     29 <ol>
     30   <li> SELinux 
     31   </li><li> <code>init</code> 
     32   </li><li><ul>
     33     <li> init.&lt;device&gt;.rc 
     34     </li><li> <code>dmesg</code> init:  Warning!  Service name needs a SELinux domain defined; please fix!init SELinux <em></em>
     35     </li><li> <code>ps -Z | grep init</code>  init 
     36   </li></ul>
     37   </li><li> AOSP 
     38   </li><li>
     39 </li></ol>
     40 
     41 <p> (OEM)  AOSP </p>
     42 
     43 <h2 id="key_files"></h2>
     44 
     45 <p>SELinux for Android  SELinux <a href="https://android.googlesource.com/kernel/common/"> Android </a> <a href="https://android.googlesource.com/platform/system/sepolicy/">system/sepolicy</a> </p>
     46 
     47 <p><a href="https://android.googlesource.com/kernel/common/">https://android.googlesource.com/kernel/common/ </a></p>
     48 
     49 <p><a href="https://android.googlesource.com/platform/system/sepolicy/">https://android.googlesource.com/platform/system/sepolicy/</a></p>
     50 
     51 <p> SELinux  Android  system/sepolicy  /device/manufacturer/device-name/sepolicy </p>
     52 
     53 <p> SELinux</p>
     54 
     55 <ul>
     56   <li><em></em> SELinux  (*.te)  -  <root>/device/manufacturer/device-name/sepolicy  SELinux 
     57 <p class="caution"><strong></strong> Android  app.te </p>
     58   </root></li><li><em></em> BoardConfig.mk Makefile - <device-name> sepolicy  sepolicy  BoardConfig.mk makefile
     59   </device-name></li><li><em></em>file_contexts -  sepolicy  file_contexts <code>restorecon</code> file_contexts  restorecon_recursive  init.<em>board</em>.rc 
     60   </li><li><em></em>genfs_contexts -  sepolicy proc  vfat inode  context=mount  vfat
     61   </li><li><em></em>property_contexts -  sepolicy  Android  selinux.reload_policy  1 init 
     62   </li><li><em></em>service_contexts -  sepolicy  Android Binder Binder  selinux.reload_policy  1 servicemanager 
     63   </li><li><em></em>seapp_contexts -  sepolicy  /data/data Zygote  selinux.reload_policy  1 installd 
     64   </li><li><em></em>mac_permissions.xml -  sepolicy  seinfo  seinfo  seapp_contexts  seinfo system_server 
     65 </li></ul>
     66 
     67 <p> sepolicy  BoardConfig.mk Makefile sepolicy BOARD_SEPOLICY  system/sepolicy/README </p>
     68 
     69 <pre>
     70 BOARD_SEPOLICY_DIRS += \
     71         &lt;root&gt;/device/manufacturer/device-name/sepolicy
     72 
     73 BOARD_SEPOLICY_UNION += \
     74         genfs_contexts \
     75         file_contexts \
     76         sepolicy.te
     77 </pre>
     78 
     79 <p class="note"><strong></strong> M  BOARD_SEPOLICY_UNION BOARD_SEPOLICY_DIRS </p>
     80 
     81 <p> SELinux Android  SELinux <a href="customize.html"></a><a href="validate.html"></a></p>
     82 
     83 <p> BoardConfig.mk </p>
     84 
     85 <h2 id="use_cases"></h2>
     86 
     87 <p> SELinux </p>
     88 
     89 <p><strong></strong> -  init</p>
     90 
     91 <p> SELinux </p>
     92 
     93 <p><strong></strong> -  netdinit  vold  Root  netd </p>
     94 
     95 <p> SELinux netd  Root </p>
     96 
     97 <p><strong></strong> -  Root </p>
     98 
     99 <p><strong>setattr</strong> -  chmodchown  setattr  Root  app_data_files  chmod  chown  shell_data_files  system_data_files </p>
    100 
    101 <h2 id="steps_in_detail"></h2>
    102 
    103 <p> Android  SELinux </p>
    104 
    105 <ol>
    106   <li> SELinux
    107 <code>CONFIG_SECURITY_SELINUX=y</code>
    108   </li><li> kernel_cmdline <br />
    109 <code>BOARD_KERNEL_CMDLINE := androidboot.selinux=permissive</code>
    110 <br />
    111  CTS </li><li><br />
    112  Ubuntu 14.04 <br />
    113 <code>adb shell su -c dmesg | grep denied | audit2allow -p out/target/product/<em>board</em>/root/sepolicy</code>
    114 <br />
    115  Ubuntu 12.04 
    116 <code>adb shell su -c dmesg | grep denied | audit2allow</code>
    117   </li><li><a href="validate.html"></a>
    118   </li><li>
    119   </li><li> *_contexts 
    120   </li><li>// <code>init</code> <br />
    121 <code>$ adb shell su -c ps -Z | grep init</code><br />
    122 <code>$ adb shell su -c dmesg | grep 'avc: '</code>
    123   </li><li> init.&lt;device&gt;.rc init  <code>init</code> 
    124   </li><li> <code>BOARD_CONFIG.mk</code>  <code>BOARD_SEPOLICY_*</code>  system/sepolicy  README
    125   </li><li> init.&lt;device&gt;.rc  fstab.&lt;device&gt; mount context= mount 
    126   </li><li> SELinux <a href="customize.html"></a>
    127 </li></ol>
    128 
    129 </body></html>