diff options
author | Android Partner Docs <noreply@android.com> | 2017-06-13 21:09:54 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2017-06-13 21:09:54 +0000 |
commit | 669198e6d1bd5047baeea4f298f27ec22fbc71f5 (patch) | |
tree | b0254fc055b6adcae6a60704966ac029afb600cf /en/security/selinux/device-policy.html | |
parent | e5ecdabfcf75d07d42c93ab2b472b8340b674ae7 (diff) | |
parent | 6ccb9c7cc8450031ad567d3c9776484b50db738b (diff) | |
download | source.android.com-669198e6d1bd5047baeea4f298f27ec22fbc71f5.tar.gz |
Merge "Docs: Changes to source.android.com" am: 0a9ccdf0b0 am: c391221fea
am: 6ccb9c7cc8
Change-Id: Iab4f379296dcb3ce09ead8e1b57a4e8654691adc
Diffstat (limited to 'en/security/selinux/device-policy.html')
-rw-r--r-- | en/security/selinux/device-policy.html | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/en/security/selinux/device-policy.html b/en/security/selinux/device-policy.html index 82e6c4b1..6fe8b209 100644 --- a/en/security/selinux/device-policy.html +++ b/en/security/selinux/device-policy.html @@ -62,7 +62,9 @@ After modifying the command line, perform <code>make clean</code>, then <p>After that, confirm permissive mode with:</p> -<p><code>adb getenforce</code></p> +<pre class="devsite-terminal devsite-click-to-copy"> +adb getenforce +</pre> <p>Two weeks is a reasonable amount of time to be in global permissive mode. After @@ -104,7 +106,7 @@ scratch on a new device, which include:</p> <p>Denials generated by core services are typically addressed by file labeling. For example:</p> -<pre class="no-pretty-print"> +<pre> avc: denied { open } for pid=1003 comm=”mediaserver” path="/dev/kgsl-3d0” dev="tmpfs" scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 @@ -164,7 +166,7 @@ permissions.</p> <p>The service is launched in our device’s <code>init.<target>.rc</code> file as:</p> -<pre class="no-pretty-print"> +<pre class="devsite-click-to-copy"> service foo /system/bin/foo class core </pre> @@ -175,7 +177,7 @@ service foo /system/bin/foo <p>Create the file <code>device/<oem>/<target>/sepolicy/foo.te</code> with the following contents:</p> -<pre class="no-pretty-print"> +<pre class="devsite-click-to-copy"> # foo service type foo, domain; type foo_exec, exec_type, file_type; @@ -193,7 +195,7 @@ init_daemon_domain(foo) <p>Add the following to <code>device/<oem>/<target>/sepolicy/ file_contexts</code>:</p> -<pre class="no-pretty-print"> +<pre class="devsite-click-to-copy"> /system/bin/foo u:object_r:foo_exec:s0 </pre> @@ -231,7 +233,7 @@ device-specific policies.</p> <p>The following example rule is like locking the front door but leaving the windows open:</p> -<p><code>allow { domain -untrusted_app } scary_debug_device:chr_file rw_file_perms</code>.</p> +<pre>allow { domain -untrusted_app } scary_debug_device:chr_file rw_file_perms</pre> <p>The intent is clear: everyone but third-party apps may have access to the debug device. </p> |