On Wed, 2012-01-25 at 13:26 -0500, James Carter wrote:
> On Wed, 2012-01-25 at 10:12 -0500, Joshua Brindle wrote:
> > I'm working through some denials with SEAndroid on Galaxy Nexus and I'm confused
> > about app data labeling. I thought that the app data would be labeled with the
> > same category as the app, so c13 app would have c13 on the files in /data. I see
> > the note in seapp_contexts that levelfromUID only works on apps. How do you get
> > filesystem separation without labeling the apps with the category?
> >
> >
> On both the emulator and my Nexus S, the files in /data/data are labeled
> with categories.
>
> > Also, I'm getting denials like this, which I'm a little confused about since
> > trusted_app is part of appdomain and appdomain has create_file_perms on
> > app_data_file. I'm not sure how untrusted_app would be able to keep any state
> > since everything in /data/data seems to be labeled app_data_file though:
> >
> > <5>[ 25.067932] type=1400 audit(1327503267.632:59): avc: denied { add_name }
> > for pid=461 comm="ContactsProvide" name="contacts2.db-mj1A7E80AF"
> > scontext=u:r:trusted_app:s0:c0 tcontext=u:object_r:app_data_file:s0 tclass=dir
> > <5>[ 25.148498] type=1400 audit(1327503267.718:60): avc: denied {
> > remove_name } for pid=461 comm="ContactsProvide" name="contacts2.db-mj1A7E80AF"
> > dev=mmcblk0p12 ino=578665 scontext=u:r:trusted_app:s0:c0
> > tcontext=u:object_r:app_data_file:s0 tclass=dir
> > <5>[ 26.209320] type=1400 audit(1327503268.773:61): avc: denied { write }
> > for pid=570 comm="viders.calendar" name="calendar.db" dev=mmcblk0p12 ino=578386
> > scontext=u:r:trusted_app:s0:c6 tcontext=u:object_r:app_data_file:s0 tclass=file
> > <5>[ 26.263183] type=1400 audit(1327503268.828:62): avc: denied { setattr }
> > for pid=570 comm="viders.calendar" name="calendar.db" dev=mmcblk0p12 ino=578386
> > scontext=u:r:trusted_app:s0:c6 tcontext=u:object_r:app_data_file:s0 tclass=file
> >
>
> I believe that these are from MLS constraints on writing down.
>
> I don't think your /data/data is labeled properly.
>
Did you wipe everything when you did the install? (The "-w" in "fastboot
-w flashall" causes user data to be erased.)
At this point in the project, any existing app data would have to be
manually labeled.
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> > the words "unsubscribe selinux" without quotes as the message.
>
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
