Start fixing and updating SELinux docs.
This is just a start; trying to avoid rewriting the entire contents,
at least in this change.
Clarify what SELinux is/does.
Define permissive mode, enforcing mode, and per-domain permissive.
Define domain.
Correct list of enforcing domains for 4.4.
Avoid confusing misuse of domain, role, etc.
Clarify that it should not be necessary to directly modify external/sepolicy
files or copy them to device/vendor/product/sepolicy.
Note where the BOARD_SEPOLICY variables are documented. Maybe
should inline here.
Replace suggestion to release in permissive mode with explanation of
how to make new domains permissive.
Tweak the paths for external/sepolicy; if they are supposed to be
relative to a repo client, then it should just be external/sepolicy.
Very unclear as to whether/why we even need to point them repeatedly
to the URLs for kernel/common and external/sepolicy.
Correct explanation of how apps are labeled; should likely expand.
Correct very confusing explanation of allow/domain/context; not sure
if this belongs here at all.
Note importance of using macros.
Note how to capture entire denial stream from running device or last boot.
Bug: 13479856
Change-Id: I7dcb33fb54358d360fc07235ce93adad1a51800a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
1 file changed
