FORUMS

SE Linux Policy Information Thread

1,500 posts
Thanks Meter: 1,007
 
By moonbutt74, Senior Member on 2nd September 2014, 04:28 PM
Post Reply Subscribe to Thread Email Thread
okay, so this will be dedicated to what information i can find on understanding and defining sepolicy
really for any device. It's not meant to be a Q&A but as an evolving source of reference. The approach
towards the gathering of the information will be in a pick and pack format. Anyone who's ever worked in a warehouse
will know how that is.

Skipping through rationale, selling points, and philosophy, here is the first bit of info i've been wanting to know for a while. And maybe will help with cm11.

from this site - http://events.linuxfoundation.org/si...id_smalley.pdf

Quote:

SELinux Labeling:
Each process and object is labeled with a security context.
–
A string of the form “user:role:type:level”.
–
Only the type field is used in AOSP presently.
•
Process types are also called domains.
•
Domains and types are security equivalence classes.
–
Identifiers for processes and objects in policy.
–
Same domain/type => same access.

SELinux Policy:

The security policy configuration defines:
–
how to label processes and objects with domains and types,
–
how domains can interact with each other (e.g. signals, IPC, ptrace), and how domains can access types.
•
No processes are exempt from the policy.
–
Not overridden by uid-0 or Linux capabilities.
–
Only notion of “unconfined” is policy-defined.

SELinux Possible States

Disabled=Not enabled in the kernel or disabled via kernel parameter.
•
Permissive=Just logs denials but does not enforce them.
•
Enforcing=Logs and enforces denials for all enforcing domains (processes).

Per-Domain Permissive
–
Permissive for specific domains (processes).
–
Specified in policy on a per-domain basis.
–
Enables incremental application of SELinux to an ever increasing portion of the system.
–
Enables policy development for new services and apps while keeping the rest of the system enforcing.

Last edited by moonbutt74; 2nd September 2014 at 06:20 PM.
The Following 2 Users Say Thank You to moonbutt74 For This Useful Post: [ View ]
 
 
2nd September 2014, 04:35 PM |#2  
moonbutt74's Avatar
OP Senior Member
Thanks Meter: 1,007
 
More
The state of SELinux in...
AOSP
Quote:

Android 4.2 or earlier: Disabled.

Android 4.3: Permissive.

With all domains permissive + unconfined.

Android 4.4: Enforcing. Enforcing for installd netd, vold, and zygote.

Permissive for app domains (logging denials).
Permissive + unconfined for all other domains.


Samsung Knox
Quote:

First included in Galaxy S4 (4.2.2) but in permissive by default.

4.3 and later updates switched to enforcing mode.

No permissive domains (all enforcing).

Only kernel and init domains are unconfined.

Policy originally derived from our policy, but customized by Samsung

Last edited by moonbutt74; 2nd September 2014 at 04:37 PM.
The Following 2 Users Say Thank You to moonbutt74 For This Useful Post: [ View ]
2nd September 2014, 04:58 PM |#3  
moonbutt74's Avatar
OP Senior Member
Thanks Meter: 1,007
 
More
On-Device Policy Files
On-Device Policy Files

/sepolicy: Kernel binary policy
/file_contexts: File security contexts
/property_contexts: Property security contexts
/seapp_contexts: App security contexts
/system/etc/security/mac_permissions.xml: App certificate to seinfo mapping

On mac_permissions.xml
●At build time, mac_permissions.xml signature tag names (e.g. @platform) are rewritten to the actual
certificate value extracted from .pem file specified by external/sepolicy/keys.conf
.●build/tools/releasetools/sign_target_files_apks rewrites mac_permissions.xml with updated certificate values for new keys.


System Apps by Certificate
●mac_permissions.xml:
<signer signature= @platform" >
<seinfo value="platform" />
</signer>

seapp_contexts:
user=_app seinfo=platform domain=platform_app
type= app_data_file
The Following 2 Users Say Thank You to moonbutt74 For This Useful Post: [ View ]
12th May 2015, 11:12 PM |#4  
moonbutt74's Avatar
OP Senior Member
Thanks Meter: 1,007
 
More
Angry Less On's and Morons xD
okay seriously though, this is still my notekeeping thread for selinux/sepolicy understanding and authoring/modifying

NO SMARTY TYPES !!! DUMB-DUMBS ONLY xD

Okay so what is this _u _r _t suffix stuff?

• _u – SELinux user
eg: system_u – used for running system services
• _r – SELinux role
eg: system_r – for daemons and background processes
• _t – SELinux type / domain
eg:httpd_t
you can change a single domain to permissive mode

see this page for more, i will organize as i have time

https://aricgardner.com/selinux/

also
http://www.lurking-grue.org/selinuxHOWTO.html
http://www.lurking-grue.org/writings...ml#aboutpol2.1
The Following User Says Thank You to moonbutt74 For This Useful Post: [ View ]
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes