SELinux on Android

SELinux on Android

[Bhargava Shastry]

[-- Attachment #1: Type: text/plain, Size: 760 bytes --]

Hello,

I am trying to get SELinux running on an Android phone. I did successfully
build the kernel with SELinux enabled and mounted selinuxfs on init. Now, I
would like to port SELinux user-space tools for policy loading/management.
I looked at sebusybox tool-set but ran into problems while compiling. My
hunch is that header files related to File System extended attributes are
missing in the bionic lib sources that Android builds on. Having said that
I have patched the Android YAFFS FS with an Xattr patch and also configured
the kernel accordingly.

I have sources of libselinux and libsepol checked out and am wondering how
to go about building these libraries for Android. Any help in this regard
would be much appreciated.

Regards,
Bhargava Shastry

[-- Attachment #2: Type: text/html, Size: 819 bytes --]

Re: SELinux on Android

[Russell Coker]

On Fri, 4 Nov 2011, Bhargava Shastry <bshas3@gmail.com> wrote:
> I am trying to get SELinux running on an Android phone. I did successfully
> build the kernel with SELinux enabled and mounted selinuxfs on init. Now, I
> would like to port SELinux user-space tools for policy loading/management.
> I looked at sebusybox tool-set but ran into problems while compiling. My
> hunch is that header files related to File System extended attributes are
> missing in the bionic lib sources that Android builds on. Having said that
> I have patched the Android YAFFS FS with an Xattr patch and also configured
> the kernel accordingly.

It's great that you got the kernel and filesystem code working as desired.  
Would it be possible to publish the binaries so that others can work on this 
too?  If you were to blog about this it would be good too.

As for the compile problem, it would really help if you could provide us the 
exact error messages from the compiler.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Stephen Smalley]

On Fri, 2011-11-04 at 11:16 +0100, Bhargava Shastry wrote:
> Hello,
> 
> I am trying to get SELinux running on an Android phone. I did
> successfully build the kernel with SELinux enabled and mounted
> selinuxfs on init. Now, I would like to port SELinux user-space tools
> for policy loading/management. I looked at sebusybox tool-set but ran
> into problems while compiling. My hunch is that header files related
> to File System extended attributes are missing in the bionic lib
> sources that Android builds on. Having said that I have patched the
> Android YAFFS FS with an Xattr patch and also configured the kernel
> accordingly.
> 
> I have sources of libselinux and libsepol checked out and am wondering
> how to go about building these libraries for Android. Any help in this
> regard would be much appreciated.

We have been working on enabling the use of SELinux in Android.  I gave
a talk on this topic at the Linux Security Summit in September; the
slides are available here:
http://selinuxproject.org/~jmorris/lss2011_slides/caseforseandroid.pdf

You don't need much of the SELinux userspace on the device unless you
want to try to support modular policy on the device, which I wouldn't
recommend (at least in its current form).  You can just build the policy
on your build host using the build host's checkpolicy, which should be
available to you on most Linux distributions; I build on Fedora and
others have built my code on Ubuntu, both of which have checkpolicy
available.  So you don't need libsepol, checkpolicy, libsemanage, or
most of policycoreutils on the device. 

The only core SELinux userspace components that you need on the device
are a subset of libselinux (primarily the wrappers for the SELinux
kernel interfaces that you want to use on the device), and a subset of
the SELinux utilities (some of which you'll want to implement as init
built-ins because init.rc is interpreted and executed in-process by
init, not by exec'ing external programs except for starting services;
others you may want as additions to the Android toolbox so that you can
invoke them from an adb shell).  libselinux needs to be ported (i.e.
modified) and not just re-compiled for Android due to differences in its
libc (bionic vs glibc).

We plan to release our code once we have integrated SELinux with the
application layer access controls and can demonstrate a more complete
solution.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Bhargava Shastry]

[-- Attachment #1: Type: text/plain, Size: 3254 bytes --]

Dear Mr. Smalley,

Thanks for your inputs. I did go through the slides of your recent
presentation on a case for SELinux enhanced Android phone. You have done a
great job re-engineering Android to retrofit SELinux.

I was wondering how much effort it is to actually port a subset of
SELinux's userspace (e.g., loadpolicy, chcon and a few others) tools to
Android? Does it entail major changes to Android's existing toolchain
including modifications to its bionic libc?  Also, I was wondering if you
also undertook a port of coreutils as well (to enable the -Z option for
utils like ps and ls)?

Thanks again,
Bhargava

On Fri, Nov 4, 2011 at 1:32 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Fri, 2011-11-04 at 11:16 +0100, Bhargava Shastry wrote:
> > Hello,
> >
> > I am trying to get SELinux running on an Android phone. I did
> > successfully build the kernel with SELinux enabled and mounted
> > selinuxfs on init. Now, I would like to port SELinux user-space tools
> > for policy loading/management. I looked at sebusybox tool-set but ran
> > into problems while compiling. My hunch is that header files related
> > to File System extended attributes are missing in the bionic lib
> > sources that Android builds on. Having said that I have patched the
> > Android YAFFS FS with an Xattr patch and also configured the kernel
> > accordingly.
> >
> > I have sources of libselinux and libsepol checked out and am wondering
> > how to go about building these libraries for Android. Any help in this
> > regard would be much appreciated.
>
> We have been working on enabling the use of SELinux in Android.  I gave
> a talk on this topic at the Linux Security Summit in September; the
> slides are available here:
> http://selinuxproject.org/~jmorris/lss2011_slides/caseforseandroid.pdf
>
> You don't need much of the SELinux userspace on the device unless you
> want to try to support modular policy on the device, which I wouldn't
> recommend (at least in its current form).  You can just build the policy
> on your build host using the build host's checkpolicy, which should be
> available to you on most Linux distributions; I build on Fedora and
> others have built my code on Ubuntu, both of which have checkpolicy
> available.  So you don't need libsepol, checkpolicy, libsemanage, or
> most of policycoreutils on the device.
>
> The only core SELinux userspace components that you need on the device
> are a subset of libselinux (primarily the wrappers for the SELinux
> kernel interfaces that you want to use on the device), and a subset of
> the SELinux utilities (some of which you'll want to implement as init
> built-ins because init.rc is interpreted and executed in-process by
> init, not by exec'ing external programs except for starting services;
> others you may want as additions to the Android toolbox so that you can
> invoke them from an adb shell).  libselinux needs to be ported (i.e.
> modified) and not just re-compiled for Android due to differences in its
> libc (bionic vs glibc).
>
> We plan to release our code once we have integrated SELinux with the
> application layer access controls and can demonstrate a more complete
> solution.
>
> --
> Stephen Smalley
> National Security Agency
>
>


-- 
Bhargava Shastry

[-- Attachment #2: Type: text/html, Size: 3999 bytes --]

Re: SELinux on Android

[Stephen Smalley]

On Fri, 2011-11-04 at 17:25 +0100, Bhargava Shastry wrote:
> Dear Mr. Smalley,
> 
> Thanks for your inputs. I did go through the slides of your recent
> presentation on a case for SELinux enhanced Android phone. You have
> done a great job re-engineering Android to retrofit SELinux.
> 
> I was wondering how much effort it is to actually port a subset of
> SELinux's userspace (e.g., loadpolicy, chcon and a few others) tools
> to Android? Does it entail major changes to Android's existing
> toolchain including modifications to its bionic libc?  Also, I was
> wondering if you also undertook a port of coreutils as well (to enable
> the -Z option for utils like ps and ls)?

I did need to make some changes to bionic, e.g. adding the xattr system
calls to SYSCALLS.TXT and re-generating the syscall wrapper functions
via gensyscalls.py, adding support for the AT_SECURE auxv flag.  Then I
could port a subset of libselinux. To support the SELinux commands and
-Z option, I modified the Android toolbox with support for ps -Z and ls
-Z and added new commands to it for various SELinux tools.  To date, I
have added chcon, [gs]etenforce, [gs]etsebool, load_policy, restorecon,
and runcon.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Bhargava Shastry]

[-- Attachment #1: Type: text/plain, Size: 2533 bytes --]

Hello,

After some tweaks to load_policy, I was able to compile it against
Android's bionic C lib. However, I have a problem with loading a sample
policy compiled on my desktop Ubuntu PC (policydb version 24) on the
Android phone. Specifically, dmesg on the phone's kernel throws up the
following error:
SELinux:  policydb version 24 does not match my version range 15-19

I see two quick solutions: (1) Re-compile Android kernel with policydb
version setting changed to 24. Unfortunately, the max version number
currently supported in Android's 2.6.32 msm kernel is 23. (2) Downgrade to
policy version 19 on the PC. Any thoughts on alternate solutions.

As regards Mr.Russell's comment, I'm afraid I won't be able to make the
binaries public at the moment. However, in order to get SELinux enabled on
the Android kernel one could simply do a menuconfig and enable NSA SELinux
support. Personally, I referred to this:
http://www.linuxtopia.org/online_books/linux_kernel/kernel_configuration/ch09s06.html.
As for the Xattr patch for Android's yaffs FS, it is available
publicly
here: http://www.enck.org/tools/yaffs_xattr.patch

Regards,
Bhargava

On Fri, Nov 4, 2011 at 5:59 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Fri, 2011-11-04 at 17:25 +0100, Bhargava Shastry wrote:
> > Dear Mr. Smalley,
> >
> > Thanks for your inputs. I did go through the slides of your recent
> > presentation on a case for SELinux enhanced Android phone. You have
> > done a great job re-engineering Android to retrofit SELinux.
> >
> > I was wondering how much effort it is to actually port a subset of
> > SELinux's userspace (e.g., loadpolicy, chcon and a few others) tools
> > to Android? Does it entail major changes to Android's existing
> > toolchain including modifications to its bionic libc?  Also, I was
> > wondering if you also undertook a port of coreutils as well (to enable
> > the -Z option for utils like ps and ls)?
>
> I did need to make some changes to bionic, e.g. adding the xattr system
> calls to SYSCALLS.TXT and re-generating the syscall wrapper functions
> via gensyscalls.py, adding support for the AT_SECURE auxv flag.  Then I
> could port a subset of libselinux. To support the SELinux commands and
> -Z option, I modified the Android toolbox with support for ps -Z and ls
> -Z and added new commands to it for various SELinux tools.  To date, I
> have added chcon, [gs]etenforce, [gs]etsebool, load_policy, restorecon,
> and runcon.
>
> --
> Stephen Smalley
> National Security Agency
>
>


-- 
Bhargava Shastry

[-- Attachment #2: Type: text/html, Size: 3229 bytes --]

Re: SELinux on Android

[Russell Coker]

On Thu, 10 Nov 2011, Bhargava Shastry <bshas3@gmail.com> wrote:
> I see two quick solutions: (1) Re-compile Android kernel with policydb
> version setting changed to 24. Unfortunately, the max version number
> currently supported in Android's 2.6.32 msm kernel is 23. (2) Downgrade to
> policy version 19 on the PC. Any thoughts on alternate solutions.

Why is it version 23?  The Debian 2.6.32 kernels support version 24 according 
to /selinux/policyvers.

Also you can't just change the number.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Eric Paris]

How are you loading the policy on the target?  libsepol and
load_policy should automatically downgrade as needed.  At least I
thought it did.  In any case, you should be able to edit semanage.conf
on the build system and build a lower version policy.

-Eric

On Thu, Nov 10, 2011 at 7:48 AM, Russell Coker <russell@coker.com.au> wrote:
> On Thu, 10 Nov 2011, Bhargava Shastry <bshas3@gmail.com> wrote:
>> I see two quick solutions: (1) Re-compile Android kernel with policydb
>> version setting changed to 24. Unfortunately, the max version number
>> currently supported in Android's 2.6.32 msm kernel is 23. (2) Downgrade to
>> policy version 19 on the PC. Any thoughts on alternate solutions.
>
> Why is it version 23?  The Debian 2.6.32 kernels support version 24 according
> to /selinux/policyvers.
>
> Also you can't just change the number.
>
> --
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Stephen Smalley]

On Thu, 2011-11-10 at 11:33 +0100, Bhargava Shastry wrote:
> Hello,
> 
> After some tweaks to load_policy, I was able to compile it against
> Android's bionic C lib. However, I have a problem with loading a
> sample policy compiled on my desktop Ubuntu PC (policydb version 24)
> on the Android phone. Specifically, dmesg on the phone's kernel throws
> up the following error:
> SELinux:  policydb version 24 does not match my version range 15-19
> 
> I see two quick solutions: (1) Re-compile Android kernel with policydb
> version setting changed to 24. Unfortunately, the max version number
> currently supported in Android's 2.6.32 msm kernel is 23. (2)
> Downgrade to policy version 19 on the PC. Any thoughts on alternate
> solutions.

Linux 2.6.32 supported policy.24, unless you forced it to an older
version via CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE (which
you shouldn't set in your kernel config at all; it only exists to
address a backward compatibility problem for Fedora Core 3/4).  Maybe we
should get rid of that option altogether.

I've been using policy.24 policies for Android on the emulator (2.6.29)
and on the Nexus S phones (2.6.35).

> As regards Mr.Russell's comment, I'm afraid I won't be able to make
> the binaries public at the moment. However, in order to get SELinux
> enabled on the Android kernel one could simply do a menuconfig and
> enable NSA SELinux support. Personally, I referred to this:
> http://www.linuxtopia.org/online_books/linux_kernel/kernel_configuration/ch09s06.html . As for the Xattr patch for Android's yaffs FS, it is available publicly here: http://www.enck.org/tools/yaffs_xattr.patch

You don't need an xattr patch anymore; upstream yaffs2 has xattr
support.  You might need to back port newer upstream yaffs2 into your
Android kernel if your Android kernel's yaffs2 lacks such support.  You
also need a patch that I posted to the yaffs2 mailing list to ensure
labeling of new files at creation time, as that isn't provided by
default by the xattr support.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Bhargava Shastry]

[-- Attachment #1: Type: text/plain, Size: 1768 bytes --]

>
> Linux 2.6.32 supported policy.24, unless you forced it to an older
> version via CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE (which
> you shouldn't set in your kernel config at all; it only exists to
> address a backward compatibility problem for Fedora Core 3/4).  Maybe we
> should get rid of that option altogether.
>
> I've been using policy.24 policies for Android on the emulator (2.6.29)
> and on the Nexus S phones (2.6.35).
>

The default value for CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
was 19 on my msm 2.6.32 kernel. I wonder why. Besides, like I mentioned
before, I tried to change it to 24 (on seeing the policy mismatch print)
but I can only set it to 23 (max value menuconfig allows me to enter).


>  > As regards Mr.Russell's comment, I'm afraid I won't be able to make
> > the binaries public at the moment. However, in order to get SELinux
> > enabled on the Android kernel one could simply do a menuconfig and
> > enable NSA SELinux support. Personally, I referred to this:
> >
> http://www.linuxtopia.org/online_books/linux_kernel/kernel_configuration/ch09s06.html. As for the Xattr patch for Android's yaffs FS, it is available publicly
> here: http://www.enck.org/tools/yaffs_xattr.patch
>
> You don't need an xattr patch anymore; upstream yaffs2 has xattr
> support.  You might need to back port newer upstream yaffs2 into your
> Android kernel if your Android kernel's yaffs2 lacks such support.  You
> also need a patch that I posted to the yaffs2 mailing list to ensure
> labeling of new files at creation time, as that isn't provided by
> default by the xattr support.
>

Thanks for the info. I shall apply the labeling patch as well.


>
> --
> Stephen Smalley
> National Security Agency
>
>


-- 
Bhargava Shastry

[-- Attachment #2: Type: text/html, Size: 2671 bytes --]

Re: SELinux on Android

[Stephen Smalley]

On Thu, 2011-11-10 at 14:26 +0100, Bhargava Shastry wrote:

> The default value for
> CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE was 19 on my msm
> 2.6.32 kernel. I wonder why. Besides, like I mentioned before, I tried
> to change it to 24 (on seeing the policy mismatch print) but I can
> only set it to 23 (max value menuconfig allows me to enter).

Don't set CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX, and then you
don't need to set a value at all.  The only purpose of the option is to
force the kernel to report an older version than it truly supports, and
that was only to deal with a compatibility issue in Fedora 2/3.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Bhargava Shastry]

[-- Attachment #1: Type: text/plain, Size: 370 bytes --]

>
> Don't set CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX, and then you
> don't need to set a value at all.  The only purpose of the option is to
> force the kernel to report an older version than it truly supports, and
> that was only to deal with a compatibility issue in Fedora 2/3.


This somehow slipped my mind. Thanks, problem solved.

Regards,
Bhargava Shastry

[-- Attachment #2: Type: text/html, Size: 590 bytes --]

Re: SELinux on Android

[Bhargava Shastry]

[-- Attachment #1: Type: text/plain, Size: 1123 bytes --]

Hi again,

I am trying to set/get file SELinux contexts using the set/getfilecon
programs. I added debug prints in the kernel to track code flow. I notice
that although setfilecon succeeds on a given file, a subsequent call to
getfilecon on the same file returns the string "kernel" irrespective of the
context that was set using setfilecon. On any other file whose context is
not set yet, getfilecon properly returns the string "unlabeled"

I suspect the inode struct in the kernel is not being updated properly
after a setxattr call. Has anyone else faced a similar problem? I am
working on Android's Nexus one phone.

Thanks,
Bhargava

On Fri, Nov 11, 2011 at 12:33 PM, Bhargava Shastry <bshas3@gmail.com> wrote:

> Don't set CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX, and then you
>> don't need to set a value at all.  The only purpose of the option is to
>> force the kernel to report an older version than it truly supports, and
>> that was only to deal with a compatibility issue in Fedora 2/3.
>
>
> This somehow slipped my mind. Thanks, problem solved.
>
> Regards,
> Bhargava Shastry
>



-- 
Bhargava Shastry

[-- Attachment #2: Type: text/html, Size: 1712 bytes --]

Re: SELinux on Android

[Eric Paris]

Sounds to me like you never loaded a policy.  I'd bet you are getting
inside the if (!ss_initialized) section of
security_sid_to_context_core.  You have to load a policy before you
can properly set and retrieve labels.

-Eric

On Wed, Nov 16, 2011 at 1:15 PM, Bhargava Shastry <bshas3@gmail.com> wrote:
> Hi again,
>
> I am trying to set/get file SELinux contexts using the set/getfilecon
> programs. I added debug prints in the kernel to track code flow. I notice
> that although setfilecon succeeds on a given file, a subsequent call to
> getfilecon on the same file returns the string "kernel" irrespective of the
> context that was set using setfilecon. On any other file whose context is
> not set yet, getfilecon properly returns the string "unlabeled"
>
> I suspect the inode struct in the kernel is not being updated properly after
> a setxattr call. Has anyone else faced a similar problem? I am working on
> Android's Nexus one phone.
>
> Thanks,
> Bhargava
>
> On Fri, Nov 11, 2011 at 12:33 PM, Bhargava Shastry <bshas3@gmail.com> wrote:
>>>
>>> Don't set CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX, and then you
>>> don't need to set a value at all.  The only purpose of the option is to
>>> force the kernel to report an older version than it truly supports, and
>>> that was only to deal with a compatibility issue in Fedora 2/3.
>>
>> This somehow slipped my mind. Thanks, problem solved.
>>
>> Regards,
>> Bhargava Shastry
>
>
>
> --
> Bhargava Shastry
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Bhargava Shastry]

[-- Attachment #1: Type: text/plain, Size: 1710 bytes --]

>
> Sounds to me like you never loaded a policy.  I'd bet you are getting
> inside the if (!ss_initialized) section of
> security_sid_to_context_core.  You have to load a policy before you
> can properly set and retrieve labels.
>

Thanks, loading policy fixed the problem although I wonder why one
shouldn't be able to set xattr in the absence of a policy.


>
> On Wed, Nov 16, 2011 at 1:15 PM, Bhargava Shastry <bshas3@gmail.com>
> wrote:
> > Hi again,
> >
> > I am trying to set/get file SELinux contexts using the set/getfilecon
> > programs. I added debug prints in the kernel to track code flow. I notice
> > that although setfilecon succeeds on a given file, a subsequent call to
> > getfilecon on the same file returns the string "kernel" irrespective of
> the
> > context that was set using setfilecon. On any other file whose context is
> > not set yet, getfilecon properly returns the string "unlabeled"
> >
> > I suspect the inode struct in the kernel is not being updated properly
> after
> > a setxattr call. Has anyone else faced a similar problem? I am working on
> > Android's Nexus one phone.
> >
> > Thanks,
> > Bhargava
> >
> > On Fri, Nov 11, 2011 at 12:33 PM, Bhargava Shastry <bshas3@gmail.com>
> wrote:
> >>>
> >>> Don't set CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX, and then you
> >>> don't need to set a value at all.  The only purpose of the option is to
> >>> force the kernel to report an older version than it truly supports, and
> >>> that was only to deal with a compatibility issue in Fedora 2/3.
> >>
> >> This somehow slipped my mind. Thanks, problem solved.
> >>
> >> Regards,
> >> Bhargava Shastry
> >
> >
> >
> > --
> > Bhargava Shastry
> >
>



-- 
Bhargava Shastry

[-- Attachment #2: Type: text/html, Size: 2564 bytes --]

Re: SELinux on Android

[Stephen Smalley]

On Wed, 2011-11-16 at 19:15 +0100, Bhargava Shastry wrote:
> Hi again,
> 
> I am trying to set/get file SELinux contexts using the set/getfilecon
> programs. I added debug prints in the kernel to track code flow. I
> notice that although setfilecon succeeds on a given file, a subsequent
> call to getfilecon on the same file returns the string "kernel"
> irrespective of the context that was set using setfilecon. On any
> other file whose context is not set yet, getfilecon properly returns
> the string "unlabeled"
> 
> I suspect the inode struct in the kernel is not being updated properly
> after a setxattr call. Has anyone else faced a similar problem? I am
> working on Android's Nexus one phone.

- Do you have a policy loaded (requires patching init to load the
policy)?

- Do you have yaffs xattr support enabled in your kernel
(CONFIG_YAFFS_XATTR=y)?

- Do you have the two patches for yaffs that I posted (one of which they
did take, the other they ignored)?
http://www.aleph1.co.uk/lurker/message/20110412.193746.891b5e18.en.html
http://www.aleph1.co.uk/lurker/message/20110413.203654.65d7ee58.en.html

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Stephen Smalley]

On Thu, 2011-11-17 at 11:15 +0100, Bhargava Shastry wrote:
>         Sounds to me like you never loaded a policy.  I'd bet you are
>         getting
>         inside the if (!ss_initialized) section of
>         security_sid_to_context_core.  You have to load a policy
>         before you
>         can properly set and retrieve labels.
> 
> Thanks, loading policy fixed the problem although I wonder why one
> shouldn't be able to set xattr in the absence of a policy. 

Because SELinux has no way to interpret the xattr value if there is no
policy loaded.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Bhargava Shastry]

[-- Attachment #1: Type: text/plain, Size: 1704 bytes --]

Hello,

On loading an SELinux policy, I see that SELinux recognises the YAFFS
blocks on Android as FS where labeling is not supported. Here is a sample
dmesg print:
"SELinux: initialized (dev mtdblock3, type yaffs2), not configured for
labeling"

On looking into the SELinux code, I see that such a print is spat out on a
check for a file-system superblock security attribute called "behavior".
Could I possibly correct this by changing something in the YAFFS
file-system code. I tried mounting the yaffs partition by appening the
context= option in Android's init.rc but the mount fails.
I should add that I am able to execute getfilecon on YAFFS (extended
attributes have been ported to YAFFS) successfully but setfilecon fails
possibly due to the above debug print. And as previously mentioned, I
attempt set/getfilecon only after a load_policy. Also, all other
filesystems (rootfs, procfs, tmpfs etc. are correctly initialised on policy
load)

Thanks,
Bhargava

On Thu, Nov 17, 2011 at 2:39 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Thu, 2011-11-17 at 11:15 +0100, Bhargava Shastry wrote:
> >         Sounds to me like you never loaded a policy.  I'd bet you are
> >         getting
> >         inside the if (!ss_initialized) section of
> >         security_sid_to_context_core.  You have to load a policy
> >         before you
> >         can properly set and retrieve labels.
> >
> > Thanks, loading policy fixed the problem although I wonder why one
> > shouldn't be able to set xattr in the absence of a policy.
>
> Because SELinux has no way to interpret the xattr value if there is no
> policy loaded.
>
> --
> Stephen Smalley
> National Security Agency
>
>


-- 
Bhargava Shastry

[-- Attachment #2: Type: text/html, Size: 2198 bytes --]

Re: SELinux on Android

[Stephen Smalley]

On Mon, 2011-11-21 at 16:45 +0100, Bhargava Shastry wrote:
> Hello,
> 
> On loading an SELinux policy, I see that SELinux recognises the YAFFS
> blocks on Android as FS where labeling is not supported. Here is a
> sample dmesg print:
> "SELinux: initialized (dev mtdblock3, type yaffs2), not configured for
> labeling"
> 
> On looking into the SELinux code, I see that such a print is spat out
> on a check for a file-system superblock security attribute called
> "behavior". Could I possibly correct this by changing something in the
> YAFFS file-system code. I tried mounting the yaffs partition by
> appening the context= option in Android's init.rc but the mount fails.
> I should add that I am able to execute getfilecon on YAFFS (extended
> attributes have been ported to YAFFS) successfully but setfilecon
> fails possibly due to the above debug print. And as previously
> mentioned, I attempt set/getfilecon only after a load_policy. Also,
> all other filesystems (rootfs, procfs, tmpfs etc. are correctly
> initialised on policy load)

You need to add a fs_use_xattr statement to your policy configuration
for yaffs2.  Similar to the existing statements for ext[234].

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Bhargava Shastry]

[-- Attachment #1: Type: text/plain, Size: 616 bytes --]

>
> You need to add a fs_use_xattr statement to your policy configuration
> for yaffs2.  Similar to the existing statements for ext[234].
>

Thanks. I have the sources for a reference SELinux policy from the tresys
website. Unfortunately, with default policy build options, the resulting
monolithic policy is huge. I am using an Ubuntu machine; any hints as to
where to start for a minimal policy for Android. I tried selectively
building only basic modules but there are intricate dependencies
(checkpolicy throws up unresolved symbols error) between modules that is
hard to disentangle.

Regards,
Bhargava Shastry

[-- Attachment #2: Type: text/html, Size: 822 bytes --]

Re: SELinux on Android

[Stephen Smalley]

On Mon, 2011-11-21 at 19:18 +0100, Bhargava Shastry wrote:
>         You need to add a fs_use_xattr statement to your policy
>         configuration
>         for yaffs2.  Similar to the existing statements for ext[234].
> 
> Thanks. I have the sources for a reference SELinux policy from the
> tresys website. Unfortunately, with default policy build options, the
> resulting monolithic policy is huge. I am using an Ubuntu machine; any
> hints as to where to start for a minimal policy for Android. I tried
> selectively building only basic modules but there are intricate
> dependencies (checkpolicy throws up unresolved symbols error) between
> modules that is hard to disentangle. 

It doesn't make much sense to use the reference policy for Android,
because the Android userspace is completely different from a typical
Linux distribution.  I created a policy from scratch for my work.

You can generate a minimal policy from the kernel tree (see
scripts/selinux/mdp).  However, that generated policy will only take you
so far since it lacks any of the macro definitions/build infrastructure
and since it places everything in a single type/domain.  So you can
start there, but you'll likely want to split it out into multiple files,
add some of the macros from refpolicy or the original example policy,
and start defining individual domains and types.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Bhargava Shastry]

[-- Attachment #1: Type: text/plain, Size: 1733 bytes --]

>
> It doesn't make much sense to use the reference policy for Android,
> because the Android userspace is completely different from a typical
> Linux distribution.  I created a policy from scratch for my work.
>
> You can generate a minimal policy from the kernel tree (see
> scripts/selinux/mdp).  However, that generated policy will only take you
> so far since it lacks any of the macro definitions/build infrastructure
> and since it places everything in a single type/domain.  So you can
> start there, but you'll likely want to split it out into multiple files,
> add some of the macros from refpolicy or the original example policy,
> and start defining individual domains and types.


Thanks for pointing out. I am getting myself acquainted with SELinux policy
semantics to be able to start from scratch. I have one question though and
the answer to this would make my task of creating an Android specific
policy much smoother.
I had previously loaded an Ubuntu SELinux policy on Android and it seemed
to label all the filesystems correctly (except yaffs). I would like to diff
a very basic policy (i.e., mdp output) with the default ubuntu policy so
that I would get an idea of how filesystems are being labeled and how
transitions are handled among other things; basically to learn from a delta
between the two files. To do this, I need sources for Ubuntu-SELinux policy
(in order to compile a policy.conf) . I have somehow not been able to
locate the source for the policy binary that ubuntu uses (I looked in the
/etc/selinux dir to no avail). Any ideas as to where I can find them?
Alternatively, is there a tool to reverse engineer policy.conf from the
policy binary (e.g. policy.24)?


Kind Regards,
Bhargava Shastry

[-- Attachment #2: Type: text/html, Size: 2007 bytes --]

Re: SELinux on Android

[Stephen Smalley]

On Tue, 2011-11-22 at 20:25 +0100, Bhargava Shastry wrote:
> Thanks for pointing out. I am getting myself acquainted with SELinux
> policy semantics to be able to start from scratch. I have one question
> though and the answer to this would make my task of creating an
> Android specific policy much smoother. 
> I had previously loaded an Ubuntu SELinux policy on Android and it
> seemed to label all the filesystems correctly (except yaffs). I would
> like to diff a very basic policy (i.e., mdp output) with the default
> ubuntu policy so that I would get an idea of how filesystems are being
> labeled and how transitions are handled among other things; basically
> to learn from a delta between the two files. To do this, I need
> sources for Ubuntu-SELinux policy (in order to compile a
> policy.conf) . I have somehow not been able to locate the source for
> the policy binary that ubuntu uses (I looked in the /etc/selinux dir
> to no avail). Any ideas as to where I can find them? Alternatively, is
> there a tool to reverse engineer policy.conf from the policy binary
> (e.g. policy.24)?

You need the source package.  selinux-policy-src?

setools has a variety of tools that allow you to inspect a policy, even
a binary one.  seinfo, sesearch, apol, etc.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Russell Coker]

On Wed, 23 Nov 2011, Bhargava Shastry <bshas3@gmail.com> wrote:
> between the two files. To do this, I need sources for Ubuntu-SELinux policy
> (in order to compile a policy.conf) . I have somehow not been able to
> locate the source for the policy binary that ubuntu uses (I looked in the
> /etc/selinux dir to no avail). Any ideas as to where I can find them?
> Alternatively, is there a tool to reverse engineer policy.conf from the
> policy binary (e.g. policy.24)?

To get the source for something on Ubuntu you should run
"apt-get source PACKAGE".

Also you might find it better to use Debian SE Linux stuff instead of Ubuntu.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Bhargava Shastry]

[-- Attachment #1: Type: text/plain, Size: 1959 bytes --]

Hi All,

I was wondering if there is way to do automatic policy updates for SELinux
at runtime. On similar lines, is there a means by which SELinux queries a
"supervisor" in the userspace in case a policy violation is detected in
enforcing mode. For example, lets say SELinux's initial policy (loaded
during device boot) does not permit program X to read file Y. If SELinux is
enforcing such a policy, X is not allowed to read Y (obviously). In this
scenario, is there a way to allow SELinux ask a user-space decision maker
program if Y could indeed be read by X? Maybe the user-space decision maker
deems the file safe to be read.

Apologies if I am being a little vague here. To put my question in
perspective, I am working on evaluating SELinux on Android and it is
sometimes useful for the Android middleware (sitting on top of the Linux
kernel) to interfere in kernel-level MAC e.g. SELinux. So, it would be
useful to know if a communication channel between SELinux and the
middleware could be established esp. wrt policy updates.

Any help is much appreciated.

Kind Regards,
Bhargava

On Tue, Nov 22, 2011 at 11:03 PM, Russell Coker <russell@coker.com.au>wrote:

> On Wed, 23 Nov 2011, Bhargava Shastry <bshas3@gmail.com> wrote:
> > between the two files. To do this, I need sources for Ubuntu-SELinux
> policy
> > (in order to compile a policy.conf) . I have somehow not been able to
> > locate the source for the policy binary that ubuntu uses (I looked in the
> > /etc/selinux dir to no avail). Any ideas as to where I can find them?
> > Alternatively, is there a tool to reverse engineer policy.conf from the
> > policy binary (e.g. policy.24)?
>
> To get the source for something on Ubuntu you should run
> "apt-get source PACKAGE".
>
> Also you might find it better to use Debian SE Linux stuff instead of
> Ubuntu.
>
> --
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
>



-- 
Bhargava Shastry

[-- Attachment #2: Type: text/html, Size: 2584 bytes --]

Re: SELinux on Android

[Stephen Smalley]

On Thu, 2011-12-01 at 19:42 +0100, Bhargava Shastry wrote:
> Hi All,
> 
> I was wondering if there is way to do automatic policy updates for
> SELinux at runtime. On similar lines, is there a means by which
> SELinux queries a "supervisor" in the userspace in case a policy
> violation is detected in enforcing mode. For example, lets say
> SELinux's initial policy (loaded during device boot) does not permit
> program X to read file Y. If SELinux is enforcing such a policy, X is
> not allowed to read Y (obviously). In this scenario, is there a way to
> allow SELinux ask a user-space decision maker program if Y could
> indeed be read by X? Maybe the user-space decision maker deems the
> file safe to be read.
> 
> Apologies if I am being a little vague here. To put my question in
> perspective, I am working on evaluating SELinux on Android and it is
> sometimes useful for the Android middleware (sitting on top of the
> Linux kernel) to interfere in kernel-level MAC e.g. SELinux. So, it
> would be useful to know if a communication channel between SELinux and
> the middleware could be established esp. wrt policy updates.

SELinux does not support upcalls to userspace for decision making (and
doing so would be impossible for a number of the hooks, which are called
under various conditions and cannot always block).

It is however possible for a userspace agent to exercise various degrees
of control over SELinux, e.g. by loading new policy, by changing policy
booleans, or by specifying how to label particular processes and
objects.  But that would occur in response to some event visible to the
userspace agent, not in response to an upcall from SELinux in the middle
of processing some system call.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Android

[Bhargava Shastry]

[-- Attachment #1: Type: text/plain, Size: 781 bytes --]

Hi Stephen,

Thanks again for sharing your insights. Your timely inputs are much
appreciated.

It is however possible for a userspace agent to exercise various degrees
> of control over SELinux, e.g. by loading new policy, by changing policy
> booleans, or by specifying how to label particular processes and
> objects.  But that would occur in response to some event visible to the
> userspace agent, not in response to an upcall from SELinux in the middle
> of processing some system call.


Alright. So, in essence, user-space can only indirectly affect SELinux's
functioning. I presume this calls for making SELinux policy dynamic enough
(e.g. by means of booleans and conditional checks in policy) to respond to
changes triggered in the user-space.

Regards,
Bhargava Shastry

[-- Attachment #2: Type: text/html, Size: 1031 bytes --]