Re: SEAndroid: Labels of files in /data/data/APPDIR/lib directory

["Michal Mašek" <michal.masek@circletech.net>]

On 07/10/2012 04:13 PM, Stephen Smalley wrote:
> The /data/data/APPDIR directory should be labeled with the
> app_data_file
> type (not system_data_file as in your avc denials above) and the same
> category assigned to the app process (i.e. :c38 in the above denial).

The /data/data/APPDIR is labeled with the app_data_file
type as you say it should be:
# ls -lZ /data/data/
...
drwxr-x--x app_38 app_38 u:object_r:app_data_file:s0:c38 net.circletech.cc

However the /data/data/APPDIR/lib and everything in it is labeled with
type system_data_file:
# ls -lZ /data/data/net.circletech.cc/
drwxr-xr-x system system u:object_r:system_data_file:s0 lib


> The fact that it is instead system_data_file suggests that you
> installed
> the app when not running SE Android and did not erase and reflash your
> data partition.

I have built the SEAndroid from sources as full_maguro-eng and I am
running it on Galaxy Nexus. I cleared the cache and userdata before
flashing the system. Getenforce says that the SELinux is running in
permissive mode.

I checked the /data/data directory before installation and the directory
of our application is not there. Than I installed the application via
"adb install" and the directory was created with the above mentioned
labels. I also tried to download the apk file through the android web
browser and installed it from Downloads app but it had the same effect.


Btw. i randomly checked directories of some of the system apps and the
lib subdirectory is always labeled with the system_data_file type, eg.:
# ls -lZ /data/data/com.android.providers.contacts/
drwxrwx--x app_0    app_0  u:object_r:app_data_file:s0:c0 databases
drwxrwx--x app_0    app_0  u:object_r:app_data_file:s0:c0 files
drwxr-xr-x system   system u:object_r:system_data_file:s0 lib
drwxrwx--x app_0    app_0  u:object_r:app_data_file:s0:c0 shared_prefs


Isn't it possible that during installation the lib directory is created
somewhere else, somewhere where it would be labeled with
system_data_file type and than moved to /data/data/APPDIR with its label
intact? Or maybe there is something else I am missing?

Thanks for your help,
Michal Mašek


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.