On Mon, Aug 27, 2012 at 9:00 PM, William Roberts <bill.c.roberts@xxxxxxxxx> wrote: > I have the initial check_seapp tool integrated inted sepolicy, and > rather then blasting patches back and forth for code review, we can > use bitbucket and its wiki... > > Please visit, > https://bitbucket.org/billcroberts/external-sepolicy/overview > > lets work on getting this up to par, and then I will submit a patch > back over the mailing list for it's inclusion. A MLS level is a string consisting of a sensitivity level:category-set, e.g. s0:c15. It is not an integer. You should be able to use sepol_mls_check() to check the validity of a MLS level against a given policy. It doesn't seem like your two projects are consistent or buildable - check_seapp has no Android.mk and would suggest it is named check_seapp, whereas sepolicy wants to invoke checkseapp. I can also throw together a simple checkfc program to check the file_contexts against the policy to prevent the kinds of problems you encountered when you omitted a MLS level from your file_contexts entry. In normal SELinux, we use setfiles -c for that purpose, but I didn't bring setfiles over into the Android tree as a build host tool and we don't need all of its functionality anyway. I can create a greatly streamlined version of the setfiles -c functionality as a simple program under sepolicy in the Android tree. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
