On Tue, 2012-04-24 at 14:13 +0000, Palarz Thomas-DCJ738 wrote: > All, > > I've gotten SEAndroid 4.0.3 running on a Samsung Galaxy Nexus maguro > (GSM). I've seen posts about it running on Galaxy Nexus already, but I > assume that was the CDMA version toro. Thought I'd my 2 cents and get > it going on the GSM handset. > > I did have to manually(-ish) build the zImage in order for mkbootimg > build dependency to be satisfied and didn't see that on the wiki. > What's the reasoning for creating a separate project for the omap tuna > kernel btw? I assume it's because the Android build system is using a > prebuilt kernel for the recovery image and we wanted an SELinux-aware > kernel in place of it? Correct. We have a slightly modified kernel/omap tree that enables SELinux and its dependencies in the kernel config and adds SELinux permission checking for the Binder. Then we have a slightly modified device/samsung/tuna tree that uses our kernel rather than the prebuilt one, defines HAVE_SELINUX := true in the BoardConfig.mk for the userspace build, modifies init.tuna.rc, and adds the sepolicy.* files for the tuna-specific policy definitions. > I haven't successfully turned enforcing on yet, but I have some avc > denials. I'll try to run audit2allow tonight. The new SEAndroid > Manager app with the avc log file save capability is really nifty ;) You might want to post the denials first for review. Often the audit2allow output is not what you want; instead you may simply need to label some files correctly to get everything working cleanly. > Has anyone been trying to get SLIDE/CDS working with the SEAndroid > policy? My last attempt at it didn't work out because the SEAndroid > policy isn't being compiled in the Referency Policy format as far as I > can tell, but I haven't spent significant amounts of time on it either > to be honest. I briefly experimented with SLIDE as well (as you note, it doesn't work presently) and have asked the SLIDE developers for more information about its specific dependencies on refpolicy. I suspect we would at least need to introduce the same kind of inline xml documentation for our macros so that they can be recognized by SLIDE, and we might have to follow refpolicy's directory layout and naming conventions if we want SLIDE to work seamlessly. Might also need some equivalents to refpolicy's build.conf and modules.conf files. I'm not sure though how critical it is, as the SE Android policy is quite small and simple so it isn't clear how much you would gain from an IDE. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
