|Main Archive Page > Month Archives > selinux archives|
Dear Mr. Smalley,
Thanks for your inputs. I did go through the slides of your recent
presentation on a case for SELinux enhanced Android phone. You have done a
great job re-engineering Android to retrofit SELinux.
I was wondering how much effort it is to actually port a subset of
SELinux's userspace (e.g., loadpolicy, chcon and a few others) tools to
Android? Does it entail major changes to Android's existing toolchain
including modifications to its bionic libc? Also, I was wondering if you
also undertook a port of coreutils as well (to enable the -Z option for
utils like ps and ls)?
On Fri, Nov 4, 2011 at 1:32 PM, Stephen Smalley <email@example.com> wrote:
> On Fri, 2011-11-04 at 11:16 +0100, Bhargava Shastry wrote:
> > Hello,
> > I am trying to get SELinux running on an Android phone. I did
> > successfully build the kernel with SELinux enabled and mounted
> > selinuxfs on init. Now, I would like to port SELinux user-space tools
> > for policy loading/management. I looked at sebusybox tool-set but ran
> > into problems while compiling. My hunch is that header files related
> > to File System extended attributes are missing in the bionic lib
> > sources that Android builds on. Having said that I have patched the
> > Android YAFFS FS with an Xattr patch and also configured the kernel
> > accordingly.
> > I have sources of libselinux and libsepol checked out and am wondering
> > how to go about building these libraries for Android. Any help in this
> > regard would be much appreciated.
> We have been working on enabling the use of SELinux in Android. I gave
> a talk on this topic at the Linux Security Summit in September; the
> slides are available here:
> You don't need much of the SELinux userspace on the device unless you
> want to try to support modular policy on the device, which I wouldn't
> recommend (at least in its current form). You can just build the policy
> on your build host using the build host's checkpolicy, which should be
> available to you on most Linux distributions; I build on Fedora and
> others have built my code on Ubuntu, both of which have checkpolicy
> available. So you don't need libsepol, checkpolicy, libsemanage, or
> most of policycoreutils on the device.
> The only core SELinux userspace components that you need on the device
> are a subset of libselinux (primarily the wrappers for the SELinux
> kernel interfaces that you want to use on the device), and a subset of
> the SELinux utilities (some of which you'll want to implement as init
> built-ins because init.rc is interpreted and executed in-process by
> init, not by exec'ing external programs except for starting services;
> others you may want as additions to the Android toolbox so that you can
> invoke them from an adb shell). libselinux needs to be ported (i.e.
> modified) and not just re-compiled for Android due to differences in its
> libc (bionic vs glibc).
> We plan to release our code once we have integrated SELinux with the
> application layer access controls and can demonstrate a more complete
> Stephen Smalley
> National Security Agency
-- Bhargava Shastry -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to firstname.lastname@example.org with the words "unsubscribe selinux" without quotes as the message.