diff options
| author | Treehugger Robot <treehugger-gerrit@google.com> | 2017-02-10 06:28:51 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2017-02-10 06:28:52 +0000 |
| commit | 2ce2f56202236c2ba2c39b69441796b3d374e831 (patch) | |
| tree | 659e84dee9ce9b8fd2b737ba88a91e58af60f0c2 | |
| parent | 88dae058b0be1d2a15b71f546dab81d05fb2fea0 (diff) | |
| parent | cd00953def1df17183eaeba475ce27843fd4e88a (diff) | |
| download | source.android.com-2ce2f56202236c2ba2c39b69441796b3d374e831.tar.gz | |
Merge "Fix SELinux documentation."
| -rw-r--r-- | src/security/selinux/validate.jd | 20 |
1 files changed, 5 insertions, 15 deletions
diff --git a/src/security/selinux/validate.jd b/src/security/selinux/validate.jd index 44588535..3f6dea05 100644 --- a/src/security/selinux/validate.jd +++ b/src/security/selinux/validate.jd @@ -31,7 +31,7 @@ policy to a test pool of devices first.</p> <p>Once applied, make sure SELinux is running in the correct mode on the device by issuing the command:getenforce</p> -<p>This will print the global SELinux mode: either Disabled, Enforcing, or +<p>This will print the global SELinux mode: either Enforcing or Permissive. Please note, this command shows only the global SELinux mode. To determine the SELinux mode for each domain, you must examine the corresponding files or run the latest version of <code>sepolicy-analyze</code> with the appropriate (-p) flag, present in /platform/system/sepolicy/tools/.</p> @@ -108,29 +108,19 @@ $ adb shell su root setenforce 0 <pre> androidboot.selinux=permissive -androidboot.selinux=disabled androidboot.selinux=enforcing </pre> <h2 id=using_audit2allow>Using audit2allow</h2> <p>The <code>selinux/policycoreutils/audit2allow</code> tool takes <code>dmesg</code> denials and converts them into corresponding SELinux policy statements. As -such, it can greatly speed SELinux development. To install it, run:</p> +such, it can greatly speed SELinux development. <code>audit2allow</code> is shipped as part of the Android source tree and +is compiled automatically when you build Android from source.</p> -<pre> -$ sudo apt-get install policycoreutils -</pre> - -<p>To use it on Ubuntu 12.04, run:</p> - -<pre> -$ adb shell su root dmesg | audit2allow -</pre> +<p>To use it, run:</p> -<p>On Ubuntu 14.04 and newer, audit2allow requires you to specify the Android policy -using the -p option, e.g. <pre> -$ adb shell su root dmesg | audit2allow -p out/target/product/<device>/root/sepolicy +$ adb shell su root dmesg | audit2allow -p $OUT/root/sepolicy </pre> <p>Nevertheless, care must be taken to examine each potential addition for |