From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <1342046389-9271-1-git-send-email-hqjiang1988@gmail.com> References: <1342046389-9271-1-git-send-email-hqjiang1988@gmail.com> Date: Thu, 12 Jul 2012 06:13:39 -0400 Message-ID: Subject: Re: Patches to target denies of GpsLocationProvider and media_app over mtp_device From: Robert Craig To: hqjiang Cc: selinux@tycho.nsa.gov, sds@tycho.nsa.gov, bill.c.roberts@gmail.com Content-Type: multipart/alternative; boundary=00504502d3ada984e004c49f378b Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --00504502d3ada984e004c49f378b Content-Type: text/plain; charset=ISO-8859-1 What branch are you on? I have a build of master that has android.process.media labeled as u:r:media_app:s0:c10 which would suggest to me that the seinfo string is media. If your android.process.media is not being labeled as media that what is its label. There was a brief period on the master branch that the mac_permissions.xml file was wrong because of some updates on Jelly Bean permissions needed by some of the apps. Specifically the MediaProvider. Are you seeing any "MMAC_DENIAL" messages in logcat for any media apps during install? I would try to re-sync on master and see what happens. On Wed, Jul 11, 2012 at 6:39 PM, hqjiang wrote: > One thing should be paid attentions here: > We add a new entry of "user=app_* name=android.process.media > domain=media_app levelFromUid=true" to seapp_context file. > One would say it's nonecessary because there's already one policy > "user=app_* seinfo=media domain=media_app levelFromUid=true". > But the thing is that the seinfo of "android.process.media" is not media. > > If you have better ideas, pleae let us know. And we can resubmit the > refined patches later. > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith > the words "unsubscribe selinux" without quotes as the message. > --00504502d3ada984e004c49f378b Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

What branch are you on? I have a build of master that has=A0android.pr= ocess.media labeled as

u:r:media_app:s0:c10

<= div>

which would suggest to me that the seinfo string is medi= a. If your=A0android.process.media is

not being labeled as media that what is its label. There was a brief p= eriod on the master

branch that the mac_permissions.xml file was = wrong because of some updates on

Jelly Bean permissions needed by= some of the apps. Specifically the MediaProvider.

Are you seeing any "MMAC_DENIAL" messages in logcat for any = media apps during

install?

I would try t= o re-sync on master and see what happens.

On Wed, Jul 11, 2012 at 6:39 PM, h= qjiang <hqjiang1988@gmail.com> wrote:

One thing should be paid attentions here:
We add a new entry of "user=3Dapp_* name=3Dandroid.process.media domai= n=3Dmedia_app levelFromUid=3Dtrue" to seapp_context file.
One would say it's nonecessary because there's already one policy &= quot;user=3Dapp_* seinfo=3Dmedia domain=3Dmedia_app levelFromUid=3Dtrue&quo= t;.
But the thing is that the seinfo of "android.process.media" is no= t media.

If you have better ideas, pleae let us know. And we can resubmit the refine= d patches later.

--
This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

--00504502d3ada984e004c49f378b-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.