I'm working through some denials with SEAndroid on Galaxy Nexus and I'm confused
about app data labeling. I thought that the app data would be labeled with the
same category as the app, so c13 app would have c13 on the files in /data. I see
the note in seapp_contexts that levelfromUID only works on apps. How do you get
filesystem separation without labeling the apps with the category?
Also, I'm getting denials like this, which I'm a little confused about since
trusted_app is part of appdomain and appdomain has create_file_perms on
app_data_file. I'm not sure how untrusted_app would be able to keep any state
since everything in /data/data seems to be labeled app_data_file though:
<5>[ 25.067932] type=1400 audit(1327503267.632:59): avc: denied { add_name }
for pid=461 comm="ContactsProvide" name="contacts2.db-mj1A7E80AF"
scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:app_data_file:s0 tclass=dir
<5>[ 25.148498] type=1400 audit(1327503267.718:60): avc: denied {
remove_name } for pid=461 comm="ContactsProvide" name="contacts2.db-mj1A7E80AF"
dev=mmcblk0p12 ino=578665 scontext=u:r:trusted_app:s0:c0
tcontext=u:object_r:app_data_file:s0 tclass=dir
<5>[ 26.209320] type=1400 audit(1327503268.773:61): avc: denied { write }
for pid=570 comm="viders.calendar" name="calendar.db" dev=mmcblk0p12 ino=578386
scontext=u:r:trusted_app:s0:c6 tcontext=u:object_r:app_data_file:s0 tclass=file
<5>[ 26.263183] type=1400 audit(1327503268.828:62): avc: denied { setattr }
for pid=570 comm="viders.calendar" name="calendar.db" dev=mmcblk0p12 ino=578386
scontext=u:r:trusted_app:s0:c6 tcontext=u:object_r:app_data_file:s0 tclass=file
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
