From: Stephen Smalley <sds@tycho.nsa.gov>
To: Subramani Venkatesh <selinuxv31@gmail.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: CTS failure on SEAndroid Galaxy Nexus
Date: Thu, 08 Mar 2012 11:18:22 -0500 [thread overview]
Message-ID: <1331223502.13585.112.camel@moss-pluto> (raw)
In-Reply-To: <CAD8iFzynBoUg_O+9LU3rmxasCYKK3GPed5hGdSeSoKgNppa7Bg@mail.gmail.com>
On Thu, 2012-03-08 at 11:09 -0500, Subramani Venkatesh wrote:
> Hi Stephen,
> I collected some log about AVC denial running CTS in permissive mode,
> I am seeing most of the calls being denied on binder( receive and
> call), and all CTS apps are under untrusted_app domain, though I can
> add the fix in cts.te to continue execution CTS, I am concerned in
> future if someone enables android_cts and still can install some
> untrusted app( May be not part of CTS). How does this work? or is
> android_cts is for only development platform?
Did you update to our latest policy? Make sure you use the latest
local_manifest.xml file,
http://selinuxproject.org/~seandroid/local_manifest.xml
so that you use our sepolicy project and not the (not yet updated) AOSP
one. Then run repo sync -j1 with that local_manifest.xml file in
your .repo subdirectory.
The denials you listed should already be fixed with our latest tree.
I'm still investigating some other denials during CTS execution.
The concept of the android_cts boolean is to allow certain permissions
for the CTS instrumentation on the device that aren't
necessary/desirable for production devices. So it would only be enabled
when running the CTS normally.
An alternative would be to assign the CTS packages specific app domains
by specifying their package names in seapp_contexts and defining a
cts_app domain in the policy with the requisite permissions. However,
as package names are arbitrary and there is no namespace control over
who can use what names, that would be less safe in practice - any third
party app could use the same name. That only really works for system
apps where you know that the package is pre-installed.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2012-03-08 16:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-07 13:18 CTS failure on SEAndroid Galaxy Nexus Subramani Venkatesh
2012-03-07 13:36 ` Stephen Smalley
2012-03-07 13:57 ` Subramani Venkatesh
2012-03-07 14:06 ` Stephen Smalley
2012-03-07 14:40 ` Stephen Smalley
2012-03-07 20:28 ` Stephen Smalley
2012-03-08 16:09 ` Subramani Venkatesh
2012-03-08 16:18 ` Stephen Smalley [this message]
2012-03-08 16:47 ` Subramani Venkatesh
2012-03-09 20:37 ` Fred Aguirre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1331223502.13585.112.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=selinuxv31@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.