Re: SELinux on Android
On loading an SELinux policy, I see that SELinux recognises the YAFFS blocks on Android as FS where labeling is not supported. Here is a sample dmesg print:
"SELinux: initialized (dev mtdblock3, type yaffs2), not configured for labeling"
On looking into the SELinux code, I see that such a print is spat out on a check for a file-system superblock security attribute called "behavior". Could I possibly correct this by changing something in the YAFFS file-system code. I tried mounting the yaffs partition by appening the context= option in Android's init.rc but the mount fails.
I should add that I am able to execute getfilecon on YAFFS (extended attributes have been ported to YAFFS) successfully but setfilecon fails possibly due to the above debug print. And as previously mentioned, I attempt set/getfilecon only after a load_policy. Also, all other filesystems (rootfs, procfs, tmpfs etc. are correctly initialised on policy load)
On Thu, Nov 17, 2011 at 2:39 PM, Stephen Smalley <sds@xxxxxxxxxxxxx>
On Thu, 2011-11-17 at 11:15 +0100, Bhargava Shastry wrote:Because SELinux has no way to interpret the xattr value if there is no
> Sounds to me like you never loaded a policy. I'd bet you are
> inside the if (!ss_initialized) section of
> security_sid_to_context_core. You have to load a policy
> before you
> can properly set and retrieve labels.
> Thanks, loading policy fixed the problem although I wonder why one
> shouldn't be able to set xattr in the absence of a policy.
National Security Agency