Commits

Stephen Smalley committed a855f63

Various fixes for seandroid.

/data/security mode should be 0711 to permit non-root search
for use by installd.
Move chown calls for /sys/fs/selinux boolean files to same place as enforce.
Add netlabels service.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Comments (0)

Files changed (1)

 # create mountpoints
     mkdir /mnt 0775 root system
 
-    # Allow system UID to setenforce and set booleans
-    chown system system /sys/fs/selinux/enforce
-    chown -R system system /sys/fs/selinux/booleans
-    chown system system /sys/fs/selinux/commit_pending_bools
-
 on init
 
 sysclktz 0
     symlink /data/data/com.android.shell/files/bugreports /data/bugreports
 
     # Separate location for storing security policy files on data
-    mkdir /data/security 0700 system system
+    mkdir /data/security 0711 system system
 
     # Reload policy from /data/security if present.
     setprop selinux.reload_policy 1
 
 # Set these so we can remotely update SELinux policy
     chown system system /sys/fs/selinux/enforce
+    chown -R system system /sys/fs/selinux/booleans
+    chown system system /sys/fs/selinux/commit_pending_bools
 
 # Define TCP buffer sizes for various networks
 #   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
     user shell
     group log
 
+service netlabels /system/bin/selinux-network.sh
+    class core
+    oneshot
+
 service auditd /system/bin/auditd -k
     class main