Hi, The install-time MAC support has been updated to allow one to specify seinfo strings based on the app certificates in the mac_permissions.xml configuration and then map those seinfo string values to SELinux security contexts in the seapp_contexts configuration. This replaces the fixed, hardcoded seinfo=systemApp selector (based on whether the app was from the system partition) with a more flexible scheme based on certificates. The example mac_permissions.xml configuration defines seinfo= strings for each of the AOSP build keys (platform, media, shared, release), and the seapp_contexts configuration maps each of these seinfo strings to a distinct SELinux domain (replacing the old trusted_app domain). These changes are on the mac-install feature branch and merged onto the mmac branch. We are contemplating merging the install-time MAC support onto the main seandroid branch as this now provides enhanced capabilities for SELinux policy and creates a linkage between the two mechanisms. The permission revocation and tag propagation mechanisms would remain separate. Comments and feedback on this enhancement and on the proposed merge are welcome. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
