Attached are patches for libselinux and sepolicy to drop the policy
version suffix. We still force generation of a version 24 policy by
default, although this can be overridden via make command-line or
environment setting (e.g. export POLICYVERS=26). Does this seem sane?
Note that seandroid-4.0.4 requires changes to system/core as well, so
this only fixes it for master and 4.1.1.
--
Stephen Smalley
National Security Agency
diff --git a/src/android.c b/src/android.c
index ae3f624..af6c79c 100644
--- a/src/android.c
+++ b/src/android.c
@@ -36,7 +36,7 @@ static const struct selinux_opt seopts[] = {
{ SELABEL_OPT_PATH, "/file_contexts" },
{ 0, NULL } };
-static const char *const sepolicy_prefix[] = {
+static const char *const sepolicy_file[] = {
"/data/system/sepolicy",
"/sepolicy",
0 };
@@ -671,29 +671,15 @@ struct selabel_handle* selinux_android_file_context_handle(void)
int selinux_android_reload_policy(void)
{
char path[PATH_MAX];
- int fd = -1, rc, vers;
+ int fd = -1, rc;
struct stat sb;
void *map = NULL;
int i = 0;
- vers = security_policyvers();
- if (vers <= 0) {
- selinux_log(SELINUX_ERROR, "SELinux: Unable to read policy version\n");
- return -1;
- }
- selinux_log(SELINUX_INFO, "SELinux: Maximum supported policy version: %d\n", vers);
-
- while (fd < 0 && sepolicy_prefix[i]) {
- snprintf(path, sizeof(path), "%s.%d",
- sepolicy_prefix[i], vers);
+ while (fd < 0 && sepolicy_file[i]) {
+ snprintf(path, sizeof(path), "%s",
+ sepolicy_file[i]);
fd = open(path, O_RDONLY);
-
- int max_vers = vers;
- while (fd < 0 && errno == ENOENT && --max_vers) {
- snprintf(path, sizeof(path), "%s.%d",
- sepolicy_prefix[i], max_vers);
- fd = open(path, O_RDONLY);
- }
i++;
}
if (fd < 0) {
diff --git a/Android.mk b/Android.mk
index 194dbf7..d3b21bb 100644
--- a/Android.mk
+++ b/Android.mk
@@ -9,7 +9,7 @@ include $(CLEAR_VARS)
# SELinux policy version.
# Must be <= /selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS := 24
+POLICYVERS ?= 24
MLS_SENS=1
MLS_CATS=1024
@@ -31,7 +31,6 @@ include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_SUFFIX := .$(POLICYVERS)
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -79,9 +78,9 @@ $(seapp_contexts.tmp): $(LOCAL_PATH)/seapp_contexts $(LOCAL_POLICY_SC)
@mkdir -p $(dir $@)
$(hide) m4 -s $^ > $@
-$(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(TARGET_ROOT_OUT)/sepolicy.$(POLICYVERS) $(HOST_OUT_EXECUTABLES)/checkseapp
+$(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(TARGET_ROOT_OUT)/sepolicy $(HOST_OUT_EXECUTABLES)/checkseapp
@mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/checkseapp -p $(TARGET_ROOT_OUT)/sepolicy.24 -o $@ $<
+ $(HOST_OUT_EXECUTABLES)/checkseapp -p $(TARGET_ROOT_OUT)/sepolicy -o $@ $<
seapp_contexts.tmp :=
##################################
