[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SELinux on Android

On Fri, 2011-11-04 at 11:16 +0100, Bhargava Shastry wrote:
> Hello,
> I am trying to get SELinux running on an Android phone. I did
> successfully build the kernel with SELinux enabled and mounted
> selinuxfs on init. Now, I would like to port SELinux user-space tools
> for policy loading/management. I looked at sebusybox tool-set but ran
> into problems while compiling. My hunch is that header files related
> to File System extended attributes are missing in the bionic lib
> sources that Android builds on. Having said that I have patched the
> Android YAFFS FS with an Xattr patch and also configured the kernel
> accordingly.
> I have sources of libselinux and libsepol checked out and am wondering
> how to go about building these libraries for Android. Any help in this
> regard would be much appreciated.

We have been working on enabling the use of SELinux in Android.  I gave
a talk on this topic at the Linux Security Summit in September; the
slides are available here:

You don't need much of the SELinux userspace on the device unless you
want to try to support modular policy on the device, which I wouldn't
recommend (at least in its current form).  You can just build the policy
on your build host using the build host's checkpolicy, which should be
available to you on most Linux distributions; I build on Fedora and
others have built my code on Ubuntu, both of which have checkpolicy
available.  So you don't need libsepol, checkpolicy, libsemanage, or
most of policycoreutils on the device. 

The only core SELinux userspace components that you need on the device
are a subset of libselinux (primarily the wrappers for the SELinux
kernel interfaces that you want to use on the device), and a subset of
the SELinux utilities (some of which you'll want to implement as init
built-ins because init.rc is interpreted and executed in-process by
init, not by exec'ing external programs except for starting services;
others you may want as additions to the Android toolbox so that you can
invoke them from an adb shell).  libselinux needs to be ported (i.e.
modified) and not just re-compiled for Android due to differences in its
libc (bionic vs glibc).

We plan to release our code once we have integrated SELinux with the
application layer access controls and can demonstrate a more complete

Stephen Smalley
National Security Agency

This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux