After some tweaks to load_policy, I was able to compile it against Android's bionic C lib. However, I have a problem with loading a sample policy compiled on my desktop Ubuntu PC (policydb version 24) on the Android phone. Specifically, dmesg on the phone's kernel throws up the following error:
SELinux: policydb version 24 does not match my version range 15-19
I see two quick solutions: (1) Re-compile Android kernel with policydb version setting changed to 24. Unfortunately, the max version number currently supported in Android's 2.6.32 msm kernel is 23. (2) Downgrade to policy version 19 on the PC. Any thoughts on alternate solutions.
As regards Mr.Russell's comment, I'm afraid I won't be able to make the binaries public at the moment. However, in order to get SELinux enabled on the Android kernel one could simply do a menuconfig and enable NSA SELinux support. Personally, I referred to this: http://www.linuxtopia.org/online_books/linux_kernel/kernel_configuration/ch09s06.html . As for the Xattr patch for Android's yaffs FS, it is available publicly here: http://www.enck.org/tools/yaffs_xattr.patch
Regards,
Bhargava
On Fri, Nov 4, 2011 at 5:59 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Fri, 2011-11-04 at 17:25 +0100, Bhargava Shastry wrote:I did need to make some changes to bionic, e.g. adding the xattr system
> Dear Mr. Smalley,
>
> Thanks for your inputs. I did go through the slides of your recent
> presentation on a case for SELinux enhanced Android phone. You have
> done a great job re-engineering Android to retrofit SELinux.
>
> I was wondering how much effort it is to actually port a subset of
> SELinux's userspace (e.g., loadpolicy, chcon and a few others) tools
> to Android? Does it entail major changes to Android's existing
> toolchain including modifications to its bionic libc? Also, I was
> wondering if you also undertook a port of coreutils as well (to enable
> the -Z option for utils like ps and ls)?
calls to SYSCALLS.TXT and re-generating the syscall wrapper functions
via gensyscalls.py, adding support for the AT_SECURE auxv flag. Then I
could port a subset of libselinux. To support the SELinux commands and
-Z option, I modified the Android toolbox with support for ps -Z and ls
-Z and added new commands to it for various SELinux tools. To date, I
have added chcon, [gs]etenforce, [gs]etsebool, load_policy, restorecon,
and runcon.
--
Stephen Smalley
National Security Agency
--
Bhargava Shastry
