SE Linux Policy Information Thread

Search This thread
By:
Advanced…
M

moonbutt74

Guest
okay, so this will be dedicated to what information i can find on understanding and defining sepolicy
really for any device. It's not meant to be a Q&A but as an evolving source of reference. The approach
towards the gathering of the information will be in a pick and pack format. Anyone who's ever worked in a warehouse :silly:
will know how that is.

Skipping through rationale, selling points, and philosophy, here is the first bit of info i've been wanting to know for a while. And maybe will help with cm11.

from this site - http://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf

SELinux Labeling:
Each process and object is labeled with a security context.

A string of the form “user:role:type:level”.

Only the type field is used in AOSP presently.

Process types are also called domains.

Domains and types are security equivalence classes.

Identifiers for processes and objects in policy.

Same domain/type => same access.

SELinux Policy:

The security policy configuration defines:

how to label processes and objects with domains and types,

how domains can interact with each other (e.g. signals, IPC, ptrace), and how domains can access types.

No processes are exempt from the policy.

Not overridden by uid-0 or Linux capabilities.

Only notion of “unconfined” is policy-defined.

SELinux Possible States

Disabled=Not enabled in the kernel or disabled via kernel parameter.

Permissive=Just logs denials but does not enforce them.

Enforcing=Logs and enforces denials for all enforcing domains (processes).

Per-Domain Permissive

Permissive for specific domains (processes).

Specified in policy on a per-domain basis.

Enables incremental application of SELinux to an ever increasing portion of the system.

Enables policy development for new services and apps while keeping the rest of the system enforcing.
Click to expand...
Click to collapse
 
Last edited:
M

moonbutt74

Guest
The state of SELinux in...

AOSP
Android 4.2 or earlier: Disabled.

Android 4.3: Permissive.

With all domains permissive + unconfined.

Android 4.4: Enforcing. Enforcing for installd netd, vold, and zygote.

Permissive for app domains (logging denials).
Permissive + unconfined for all other domains.
Click to expand...
Click to collapse


Samsung Knox
First included in Galaxy S4 (4.2.2) but in permissive by default.

4.3 and later updates switched to enforcing mode.

No permissive domains (all enforcing).

Only kernel and init domains are unconfined.

Policy originally derived from our policy, but customized by Samsung
Click to expand...
Click to collapse
 
Last edited:
M

moonbutt74

Guest
On-Device Policy Files

On-Device Policy Files

/sepolicy: Kernel binary policy
/file_contexts: File security contexts
/property_contexts: Property security contexts
/seapp_contexts: App security contexts
/system/etc/security/mac_permissions.xml: App certificate to seinfo mapping

On mac_permissions.xml
●At build time, mac_permissions.xml signature tag names (e.g. @platform) are rewritten to the actual
certificate value extracted from .pem file specified by external/sepolicy/keys.conf
.●build/tools/releasetools/sign_target_files_apks rewrites mac_permissions.xml with updated certificate values for new keys.


System Apps by Certificate
●mac_permissions.xml:
<signer signature= @platform" >
<seinfo value="platform" />
</signer>

seapp_contexts:
user=_app seinfo=platform domain=platform_app
type= app_data_file
 
M

moonbutt74

Guest
Less On's and Morons xD

okay seriously though, this is still my notekeeping thread for selinux/sepolicy understanding and authoring/modifying

NO SMARTY TYPES !!! DUMB-DUMBS ONLY xD

Okay so what is this _u _r _t suffix stuff?

• _u – SELinux user
eg: system_u – used for running system services
• _r – SELinux role
eg: system_r – for daemons and background processes
• _t – SELinux type / domain
eg:httpd_t
you can change a single domain to permissive mode

see this page for more, i will organize as i have time

https://aricgardner.com/selinux/

also
http://www.lurking-grue.org/selinuxHOWTO.html
http://www.lurking-grue.org/writingselinuxpolicyHOWTO.html#aboutpol2.1
 
You must log in or register to reply here.

Similar threads

eeamshh
  • Sticky
Root the Samsung Galaxy Tab 3 8.0 and Install Custom Recovery
Replies
125
Views
247K
Droehnemeier
Droehnemeier
tgalal
Inception-Auto-Root for Galaxy Tab 3 Lite SM-T113
Replies
51
Views
159K
Serhatibin
Serhatibin
nhlalukoG
Installing twrp and rooting the sm-t116 (tab 3 lite 7.0 3g)
Replies
42
Views
113K
Europeu46
Europeu46
A
[T110 / T111][BETA] Linux for Tab 3 Lite, PostMarketOS
Replies
220
Views
33K
S
solazs
Jacker31
How to run Kali Linux on Galaxy Tab 3 10.1
Replies
3
Views
30K
D
dekosta

New posts