Go to file
topjohnwu f7c0499158 Add auto allow patch support
The patch will work like this:

./sepolicy-inject --auto -P sepolicy
This will allow all possible transition (just like selinux disabled)

./sepolicy-inject --auto -s su -P sepolicy
This will allow all transitions from su to any type

./sepolicy-inject --auto -t su -P sepolicy
This will allow all transitions from any type to su

./sepolicy-inject --auto -c file -P sepolicy
This will allow any transitions involving the class file

./sepolicy-inject --auto -s su -t system_data_file -P sepolicy
This will allow all transitions from su to system_data_file

You should get the logic now :)
2016-08-12 02:50:50 +08:00
libs Added arch detection to makefile for x86 and x86_64 2015-11-11 14:27:53 -06:00
Makefile Added arch detection to makefile for x86 and x86_64 2015-11-11 14:27:53 -06:00
README.txt Update README 2015-11-14 17:02:09 +01:00
sepolicy-inject.c Add auto allow patch support 2016-08-12 02:50:50 +08:00

Injects allow rules into binary SELinux kernel policies

Injecting a rule:
$ ./sepolicy-inject -s shell -t system -c file -p read -P sepolicy

Injecting multiple permissions:
$ ./sepolicy-inject -s shell -t system -c file -p read,write,open -P sepolicy

Add a type_attribute to a domain:
$ ./sepolicy-inject -s su -a mlstrustedsubject -P sepolicy

Injecting a permissive domain:
$ ./sepolicy-inject -Z shell -P sepolicy

Change a permissive domain to non-permissive:
$ ./sepolicy-inject -z shell -P sepolicy 

Test a SELinux type exists:
$ ./sepolicy-inject -e -s shell -P sepolicy 

Test a SELinux class exists:
$ ./sepolicy-inject -e -c service_manager -P sepolicy 

Add a transition:
$ ./sepolicy-inject -s su_daemon -f device -c file -t su_device -P sepolicy

Add a filename transition:
$ ./sepolicy-inject -s su_daemon -f device -c file -g "socket" -t su_device -P sepolicy