README for configuration of selinux policy
This README intends to document the various configuration options that exist for specifiying device specific additions to the policy. Change-Id: I7db708429a67deeb89b0c155a116606dcbbbc975
This commit is contained in:
William Roberts
parent
eab23895cd
commit
3f1ed6ec62
1 changed files with 58 additions and 0 deletions
58
README
Normal file
58
README
Normal file
|
|
@ -0,0 +1,58 @@
|
|||
Policy Generation:
|
||||
|
||||
Additional, per device, policy files can be added into the
|
||||
policy build.
|
||||
|
||||
They can be configured through the use of three variables,
|
||||
they are:
|
||||
1. BOARD_SEPOLICY_REPLACE
|
||||
2. BOARD_SEPOLICY_UNION
|
||||
3. BOARD_SEPOLICY_DIRS
|
||||
|
||||
The variables should be set in the BoardConfig.mk file in
|
||||
the device or vendor directories.
|
||||
|
||||
BOARD_SEPOLICY_UNION is a list of files that will be
|
||||
"unioned", IE concatenated, at the END of their respective
|
||||
file in external/sepolicy. Note, to add a unique file you
|
||||
would use this variable.
|
||||
|
||||
BOARD_SEPOLICY_REPLACE is a list of files that will be
|
||||
used instead of the corresponding file in external/sepolicy.
|
||||
|
||||
BOARD_SEPOLICY_DIRS contains a list of directories to search
|
||||
for BOARD_SEPOLICY_UNION and BOARD_SEPOLICY_REPLACE files. Order
|
||||
matters in this list.
|
||||
eg.) If you have BOARD_SEPOLICY_UNION := widget.te and have 2
|
||||
instances of widget.te files on BOARD_SEPOLICY_DIRS search path.
|
||||
The first one found (at the first search dir containing the file)
|
||||
gets processed first.
|
||||
Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
|
||||
will help sort out ordering issues.
|
||||
|
||||
It is an error to specify a BOARD_POLICY_REPLACE file that does
|
||||
not exist in external/sepolicy.
|
||||
|
||||
It is an error to specify a BOARD_POLICY_REPLACE file that appears
|
||||
multiple times on the policy search path defined by BOARD_SEPOLICY_DIRS.
|
||||
eg.) if you specify shell.te in BOARD_SEPOLICY_REPLACE and
|
||||
BOARD_SEPOLICY_DIRS is set to
|
||||
"vendor/widget/common/sepolicy device/widget/x/sepolicy" and shell.te
|
||||
appears in both locations, it is an error.
|
||||
|
||||
It is an error to specify the same file name in both
|
||||
BOARD_POLICY_REPLACE and BOARD_POLICY_UNION.
|
||||
|
||||
It is an error to specify a BOARD_SEPOLICY_DIRS that has no entries when
|
||||
specifying BOARD_SEPOLICY_REPLACE.
|
||||
|
||||
Example Usage:
|
||||
From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
|
||||
|
||||
BOARD_SEPOLICY_DIRS := \
|
||||
device/samsung/tuna/sepolicy
|
||||
|
||||
BOARD_SEPOLICY_UNION := \
|
||||
genfs_contexts \
|
||||
file_contexts \
|
||||
sepolicy.te
|
||||
Loading…
Reference in a new issue