[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SELinux on Android



Hello,

On loading an SELinux policy, I see that SELinux recognises the YAFFS blocks on Android as FS where labeling is not supported. Here is a sample dmesg print:
"SELinux: initialized (dev mtdblock3, type yaffs2), not configured for labeling"

On looking into the SELinux code, I see that such a print is spat out on a check for a file-system superblock security attribute called "behavior". Could I possibly correct this by changing something in the YAFFS file-system code. I tried mounting the yaffs partition by appening the context= option in Android's init.rc but the mount fails.
I should add that I am able to execute getfilecon on YAFFS (extended attributes have been ported to YAFFS) successfully but setfilecon fails possibly due to the above debug print. And as previously mentioned, I attempt set/getfilecon only after a load_policy. Also, all other filesystems (rootfs, procfs, tmpfs etc. are correctly initialised on policy load)

Thanks,
Bhargava

On Thu, Nov 17, 2011 at 2:39 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Thu, 2011-11-17 at 11:15 +0100, Bhargava Shastry wrote:
>         Sounds to me like you never loaded a policy.  I'd bet you are
>         getting
>         inside the if (!ss_initialized) section of
>         security_sid_to_context_core.  You have to load a policy
>         before you
>         can properly set and retrieve labels.
>
> Thanks, loading policy fixed the problem although I wonder why one
> shouldn't be able to set xattr in the absence of a policy.

Because SELinux has no way to interpret the xattr value if there is no
policy loaded.

--
Stephen Smalley
National Security Agency




--
Bhargava Shastry

[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux