Android SEpolicy file_contexts not applied for files under directory
I am trying to write SEpolicy for custom service which creates sockets under /dev/test_sock/ folder.
At start it creates ten sockets
/dev/test_sock/sock1
/dev/test_sock/sock2
/dev/test_sock/sock3
...
/dev/test_sock/sock10
I need to have different file context for each of these socket
As example I checked AOSP how it done for example on block device
/dev(/.*)? u:object_r:device:s0
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
And i checked actual devices contexts, these looks OK
30|console:/ # ls -alZ /dev/block/
total 0
drwxr-xr-x 5 root root u:object_r:block_device:s0 640 1970-01-01 00:00 .
drwxr-xr-x 18 root root u:object_r:device:s0 3600 1970-01-01 00:00 ..
brw------- 1 root root u:object_r:loop_device:s0 7, 0 1970-01-01 00:00 loop0
brw------- 1 root root u:object_r:userdata_block_device:s0 179, 0 1970-01-01 00:00 mmcblk0
bdrwx------ 2 root reserved_disk u:object_r:block_device:s0 40 1970-01-01 00:00 vold
Therefore i tried to do with the same way for my own service. I created file_contexts with content:
/dev/test_sock(/.*)? u:object_r:test_sock_device:s0
/dev/test_sock/sock1 u:object_r:test_sock_device1:s0
/dev/test_sock/sock[2-4] u:object_r:test_sock_device_other:s0
Correct file context applied for /dev/test_sock/ folder, but sockets inside this folder have the same file contexts. From my understanding context for sock1 should be test_sock_device1 and for sock[1 - 4] should be test_sock_device_other
130|console:/ # ls -alZ /dev/test_sock/
total 0
drwxr-xr-x 2 root root u:object_r:test_sock_device:s0 280 1970-01-01 00:00 .
drwxr-xr-x 18 root root u:object_r:device:s0 3600 1970-01-01 00:00 ..
srw-rw---- 1 root root u:object_r:test_sock_device:s0 0 1970-01-01 00:00 sock1
srw-rw---- 1 root root u:object_r:test_sock_device:s0 0 1970-01-01 00:00 sock2
srw-rw---- 1 root root u:object_r:test_sock_device:s0 0 1970-01-01 00:00 sock3
How to correct set context by using file_contexts in my case ?
android linux android-source selinux
add a comment |
I am trying to write SEpolicy for custom service which creates sockets under /dev/test_sock/ folder.
At start it creates ten sockets
/dev/test_sock/sock1
/dev/test_sock/sock2
/dev/test_sock/sock3
...
/dev/test_sock/sock10
I need to have different file context for each of these socket
As example I checked AOSP how it done for example on block device
/dev(/.*)? u:object_r:device:s0
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
And i checked actual devices contexts, these looks OK
30|console:/ # ls -alZ /dev/block/
total 0
drwxr-xr-x 5 root root u:object_r:block_device:s0 640 1970-01-01 00:00 .
drwxr-xr-x 18 root root u:object_r:device:s0 3600 1970-01-01 00:00 ..
brw------- 1 root root u:object_r:loop_device:s0 7, 0 1970-01-01 00:00 loop0
brw------- 1 root root u:object_r:userdata_block_device:s0 179, 0 1970-01-01 00:00 mmcblk0
bdrwx------ 2 root reserved_disk u:object_r:block_device:s0 40 1970-01-01 00:00 vold
Therefore i tried to do with the same way for my own service. I created file_contexts with content:
/dev/test_sock(/.*)? u:object_r:test_sock_device:s0
/dev/test_sock/sock1 u:object_r:test_sock_device1:s0
/dev/test_sock/sock[2-4] u:object_r:test_sock_device_other:s0
Correct file context applied for /dev/test_sock/ folder, but sockets inside this folder have the same file contexts. From my understanding context for sock1 should be test_sock_device1 and for sock[1 - 4] should be test_sock_device_other
130|console:/ # ls -alZ /dev/test_sock/
total 0
drwxr-xr-x 2 root root u:object_r:test_sock_device:s0 280 1970-01-01 00:00 .
drwxr-xr-x 18 root root u:object_r:device:s0 3600 1970-01-01 00:00 ..
srw-rw---- 1 root root u:object_r:test_sock_device:s0 0 1970-01-01 00:00 sock1
srw-rw---- 1 root root u:object_r:test_sock_device:s0 0 1970-01-01 00:00 sock2
srw-rw---- 1 root root u:object_r:test_sock_device:s0 0 1970-01-01 00:00 sock3
How to correct set context by using file_contexts in my case ?
android linux android-source selinux
I found that if i run restorecon -Rv /dev/test_sock/ it will sets correct file contexts, but why it not sets when service creates sockets ?
– Yuri
Nov 21 '18 at 17:26
add a comment |
I am trying to write SEpolicy for custom service which creates sockets under /dev/test_sock/ folder.
At start it creates ten sockets
/dev/test_sock/sock1
/dev/test_sock/sock2
/dev/test_sock/sock3
...
/dev/test_sock/sock10
I need to have different file context for each of these socket
As example I checked AOSP how it done for example on block device
/dev(/.*)? u:object_r:device:s0
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
And i checked actual devices contexts, these looks OK
30|console:/ # ls -alZ /dev/block/
total 0
drwxr-xr-x 5 root root u:object_r:block_device:s0 640 1970-01-01 00:00 .
drwxr-xr-x 18 root root u:object_r:device:s0 3600 1970-01-01 00:00 ..
brw------- 1 root root u:object_r:loop_device:s0 7, 0 1970-01-01 00:00 loop0
brw------- 1 root root u:object_r:userdata_block_device:s0 179, 0 1970-01-01 00:00 mmcblk0
bdrwx------ 2 root reserved_disk u:object_r:block_device:s0 40 1970-01-01 00:00 vold
Therefore i tried to do with the same way for my own service. I created file_contexts with content:
/dev/test_sock(/.*)? u:object_r:test_sock_device:s0
/dev/test_sock/sock1 u:object_r:test_sock_device1:s0
/dev/test_sock/sock[2-4] u:object_r:test_sock_device_other:s0
Correct file context applied for /dev/test_sock/ folder, but sockets inside this folder have the same file contexts. From my understanding context for sock1 should be test_sock_device1 and for sock[1 - 4] should be test_sock_device_other
130|console:/ # ls -alZ /dev/test_sock/
total 0
drwxr-xr-x 2 root root u:object_r:test_sock_device:s0 280 1970-01-01 00:00 .
drwxr-xr-x 18 root root u:object_r:device:s0 3600 1970-01-01 00:00 ..
srw-rw---- 1 root root u:object_r:test_sock_device:s0 0 1970-01-01 00:00 sock1
srw-rw---- 1 root root u:object_r:test_sock_device:s0 0 1970-01-01 00:00 sock2
srw-rw---- 1 root root u:object_r:test_sock_device:s0 0 1970-01-01 00:00 sock3
How to correct set context by using file_contexts in my case ?
android linux android-source selinux
I am trying to write SEpolicy for custom service which creates sockets under /dev/test_sock/ folder.
At start it creates ten sockets
/dev/test_sock/sock1
/dev/test_sock/sock2
/dev/test_sock/sock3
...
/dev/test_sock/sock10
I need to have different file context for each of these socket
As example I checked AOSP how it done for example on block device
/dev(/.*)? u:object_r:device:s0
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
And i checked actual devices contexts, these looks OK
30|console:/ # ls -alZ /dev/block/
total 0
drwxr-xr-x 5 root root u:object_r:block_device:s0 640 1970-01-01 00:00 .
drwxr-xr-x 18 root root u:object_r:device:s0 3600 1970-01-01 00:00 ..
brw------- 1 root root u:object_r:loop_device:s0 7, 0 1970-01-01 00:00 loop0
brw------- 1 root root u:object_r:userdata_block_device:s0 179, 0 1970-01-01 00:00 mmcblk0
bdrwx------ 2 root reserved_disk u:object_r:block_device:s0 40 1970-01-01 00:00 vold
Therefore i tried to do with the same way for my own service. I created file_contexts with content:
/dev/test_sock(/.*)? u:object_r:test_sock_device:s0
/dev/test_sock/sock1 u:object_r:test_sock_device1:s0
/dev/test_sock/sock[2-4] u:object_r:test_sock_device_other:s0
Correct file context applied for /dev/test_sock/ folder, but sockets inside this folder have the same file contexts. From my understanding context for sock1 should be test_sock_device1 and for sock[1 - 4] should be test_sock_device_other
130|console:/ # ls -alZ /dev/test_sock/
total 0
drwxr-xr-x 2 root root u:object_r:test_sock_device:s0 280 1970-01-01 00:00 .
drwxr-xr-x 18 root root u:object_r:device:s0 3600 1970-01-01 00:00 ..
srw-rw---- 1 root root u:object_r:test_sock_device:s0 0 1970-01-01 00:00 sock1
srw-rw---- 1 root root u:object_r:test_sock_device:s0 0 1970-01-01 00:00 sock2
srw-rw---- 1 root root u:object_r:test_sock_device:s0 0 1970-01-01 00:00 sock3
How to correct set context by using file_contexts in my case ?
android linux android-source selinux
android linux android-source selinux
asked Nov 21 '18 at 12:49
YuriYuri
4242919
4242919
I found that if i run restorecon -Rv /dev/test_sock/ it will sets correct file contexts, but why it not sets when service creates sockets ?
– Yuri
Nov 21 '18 at 17:26
add a comment |
I found that if i run restorecon -Rv /dev/test_sock/ it will sets correct file contexts, but why it not sets when service creates sockets ?
– Yuri
Nov 21 '18 at 17:26
I found that if i run restorecon -Rv /dev/test_sock/ it will sets correct file contexts, but why it not sets when service creates sockets ?
– Yuri
Nov 21 '18 at 17:26
I found that if i run restorecon -Rv /dev/test_sock/ it will sets correct file contexts, but why it not sets when service creates sockets ?
– Yuri
Nov 21 '18 at 17:26
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53412414%2fandroid-sepolicy-file-contexts-not-applied-for-files-under-directory%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53412414%2fandroid-sepolicy-file-contexts-not-applied-for-files-under-directory%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I found that if i run restorecon -Rv /dev/test_sock/ it will sets correct file contexts, but why it not sets when service creates sockets ?
– Yuri
Nov 21 '18 at 17:26