Re: Tuna policy files

[Stephen Smalley <sds@tycho.nsa.gov>]

On Fri, 2012-05-18 at 22:08 -0700, Bryan Hinton wrote:
> It seems that for the VZW Galaxy Nexus, sepolicy.fc and sepolicy.te
> files should reside in device/samsung/toro.
> ueventd.tuna.rc contains the names of the LTE RIL device nodes.
> I have these device nodes labeled in device/samsung/toro/sepolicy.fc
> for the Galaxy Nexus.
> 
> For GSM/HSPA+ Galaxy Nexus, the relevant device nodes are also listed
> in ueventd.tuna.rc.
> It appears that they were never separated out. But given that there
> are other model-specific device nodes
> that have to be labeled correctly in their respective directories, it
> seems logical to separate things.
> For example,  device/samsung/crespo/sepolicy.fc would contain a label
> for /dev/pn544 while
> device/samsung/toro would contain a label for /dev/ttyO3.

What we have done presently is created trivial sepolicy.{te,fc} files
under toro and maguro that simply contain a single include line to
inherit the tuna definitions, e.g.
include(`device/samsung/tuna/sepolicy.te')

This is similar to how they handle BoardConfig.mk and device.mk, which
likewise include the tuna files.

This required a small change to sepolicy/Android.mk to apply m4 as a
preprocessor for .fc files (was already being applied for .te files) so
that we can support includes in both kinds of files.

You could still add device-specific lines after the include directive
for entries that are truly unique to toro or maguro, but this avoids
duplicating the entries that they have in common in both directories.

> Lastly, regarding the proper labeling of factory, are you using the
> init.tuna.rc patch that I added on Mar 6?


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.