A Note about sepolicy in Android Oreo.

First thing first

SELinux documents:

• SELinux for Android 8.0
• What is SELinux?
• What is SEAndroid?
• SELinux Policy Concepts and Overview

Android sepolicy files

Policy path:

• /system/sepolicy
• BOARD_SEPOLICY_DIR (device/$VENDOR/$DEVICE/sepolicy/, device/$VENDOR/$DEVICE/common/sepolicy/)

Policy Macros:

• system/sepolicy/public/te_macros
• system/sepolicy/public/global_macros
• system/sepolicy/public/ioctl_macros
• system/sepolicy/public/neverallow_macros
• system/sepolicy/private/mls_macros
• system/sepolicy/reqd_mask/mls_macros

Security Context:

• file_contexts, labeling files infilesystem.
• property_contexts, labeling android system/vendor properties
• genfs_contexts, Pre-file labeling for /proc files, generic filesystem security contexts.
• seapp_contexts, used by zygote and installd via libselinux, mapping app UID andseinfofor /data/data directory
• hwservice_contexts, for hwservice manager to check
• vndservice_contestx, for vndservice manager to check
• service_contexts, for service manager to check

Type Enforcement

• *.te

Composing Policy for Android trebel

1. Add domains for a service

   Add security context depend on service type:

   • Hardware service
     Define service type in hwservice.te

     type vnd_foo_hwservice, hwservice_manager_type;

   Labeling hwservice in hwservice_contexts

    vendor.realtek.foo::IfooAPI     u:object_r:vnd_foo_hwservice:s0
   

   • Vendor service

   Define service type in vndservice.te

    type  foo_service,  vndservice_manager_type;
   

   Labeling vndservice in vndservice_contexts

    fooservice  u:object_r:foo_service:s0
   

   • System service

   Define service type in service.te

    type foo_service,                 service_manager_type;
   

   Labeling system service in service_contexts

    fooservice  u:object_r:foo_service:s0
   

2. Add domain and type enforcement configuration

   Create new foo.te file

   Define service doamin and file attributes

    type foo, domain;
    type foo_exec, exec_type, vendor_file_type, file_type;
   
    init_daemon_domain(foo)  
   

3. Add file security context in file_contexts

    /vendor/bin/foo  u:object_r:foo_exec:s0
   

Building policy files

There are typically seven SELinux related files under an Android device (see more details here):

• selinux_version
• sepolicy: binary output after combining policy files (security_classes, initial_sids, *.te, etc)
• file_contexts
• property_contexts
• seapp_contexts
• service_contexts
• system/etc/mac_permissions.xml

Building file_contexts.bin

find file_contexts in /system/sepolicy and BOARD_SEPOLICY_DIR

output files:
out/target/product/$DEVICE/obj/ETC/nonplat_file_contexts_intermediates/nonplat_file_contexts
out/target/product/$DEVICE/obj/ETC/plat_file_contexts_intermediates/plat_file_contexts

binary file:
out/target/product/$DEVICE/obj/ETC/file_contexts.bin_intermediates/file_contexts.bin

install to root/file_contexts.bin

Building policy configuration

find security_classes, initial_sids, *.te, genfs_contexts, and port_contexts in /system/sepolicy and BOARD_SEPOLICY_DIR

configure file:
out/target/product/$DEVICE/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy.conf
out/target/product/$DEVICE/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy.conf
out/target/product/$DEVICE/obj/ETC/general_sepolicy.conf_intermediates/general_sepolicy.conf

install to /root/sepolicy