Re: SELinux on Android

On Mon, 2011-11-21 at 16:45 +0100, Bhargava Shastry wrote:
> Hello,
> On loading an SELinux policy, I see that SELinux recognises the YAFFS
> blocks on Android as FS where labeling is not supported. Here is a
> sample dmesg print:
> "SELinux: initialized (dev mtdblock3, type yaffs2), not configured for
> labeling"
> On looking into the SELinux code, I see that such a print is spat out
> on a check for a file-system superblock security attribute called
> "behavior". Could I possibly correct this by changing something in the
> YAFFS file-system code. I tried mounting the yaffs partition by
> appening the context= option in Android's init.rc but the mount fails.
> I should add that I am able to execute getfilecon on YAFFS (extended
> attributes have been ported to YAFFS) successfully but setfilecon
> fails possibly due to the above debug print. And as previously
> mentioned, I attempt set/getfilecon only after a load_policy. Also,
> all other filesystems (rootfs, procfs, tmpfs etc. are correctly
> initialised on policy load)

You need to add a fs_use_xattr statement to your policy configuration
for yaffs2.  Similar to the existing statements for ext[234].

Stephen Smalley
National Security Agency

