From: Stephen Smalley <sds@tycho.nsa.gov>
To: Bryan Hinton <bryan@bryanhinton.com>
Cc: Subramani Venkatesh <selinuxv31@gmail.com>, selinux@tycho.nsa.gov
Subject: Re: SE Android on Galaxy Nexus
Date: Tue, 06 Mar 2012 14:01:46 -0500 [thread overview]
Message-ID: <1331060506.26027.99.camel@moss-pluto> (raw)
In-Reply-To: <CA+XzHePXLxhGxpXrtZ6AzmgZNPoZhRN9p7Em+oOStnJXnhaYiw@mail.gmail.com>
On Fri, 2012-03-02 at 16:16 -0600, Bryan Hinton wrote:
> I agree. A per-device file_contexts file makes sense given the
> variation in radio types between ICS based devices.
Support for per-device .te and .fc files has been added to the sepolicy
Android.mk file. Thus, you can place your device-specific additions for
file_contexts in a sepolicy.fc file or for policy rules in a sepolicy.te
file under target/board/<device>, device/<vendor>/<device>, or
vendor/<vendor>/<device> and have it automatically included into the
policy.
Since the device-specific .fc files are appended to the end of
file_contexts, they will take precedence over less specific entries in
the base file_contexts file (e.g. no need to change the /dev/tty[0-9]
entry in file_contexts in order to override the context for /dev/tty03;
you can just add the latter to your .fc file and it should take
precedence). The device-specific .te files are likewise appended after
the base set of .te files, although order there shouldn't matter.
This is still experimental and may change further. For example, if we
wanted to support multiple .fc or .te files per device, we might
introduce an optional sepolicy subdirectory under the device directories
that could contain any number of such files.
These changes are available in our sepolicy tree, but not yet in the
AOSP one. In order to ensure that you use our sepolicy tree, you may
need to update your local_manifest.xml file. I have placed updated
local_manifest.xml (for git-based access) and local_manifest_http.xml
(for http-based access) files under
http://selinuxproject.org/~seandroid/
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2012-03-06 19:01 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-02 15:29 SE Android on Galaxy Nexus Subramani Venkatesh
2012-03-02 15:39 ` Stephen Smalley
2012-03-02 16:03 ` Subramani Venkatesh
2012-03-02 17:51 ` Bryan Hinton
2012-03-02 19:31 ` Stephen Smalley
2012-03-02 22:13 ` Bryan Hinton
2012-03-06 19:16 ` Stephen Smalley
2012-03-06 19:26 ` Bryan Hinton
2012-03-02 20:26 ` Stephen Smalley
2012-03-02 22:16 ` Bryan Hinton
2012-03-02 23:02 ` Subramani Venkatesh
2012-03-06 2:42 ` Subramani Venkatesh
2012-03-06 16:18 ` Bryan Hinton
2012-03-06 19:01 ` Stephen Smalley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1331060506.26027.99.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=bryan@bryanhinton.com \
--cc=selinux@tycho.nsa.gov \
--cc=selinuxv31@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.