Docs: Changes to source.android.com

  - 170780545 Remove empty sectiion by daroberts <daroberts@google.com>
  - 170778785 Remove VTS and Architecture exclusions form translation f... by daroberts <daroberts@google.com>
  - 170776221 ignore paths -> ignore_paths (Added underscode) by Android Partner Docs <noreply@android.com>
  - 170770237 Add tags for October Security Release. by Android Partner Docs <noreply@android.com>
  - 170760109 Remove a note that doesn't belong on this page. by Android Partner Docs <noreply@android.com>
  - 170722413 Update Oct 2017 Pixel Bulletin headers by daroberts <daroberts@google.com>
  - 170718989 Small edits to Pixel bulletin by daroberts <daroberts@google.com>
  - 170716226 Fix broken link by daroberts <daroberts@google.com>
  - 170712949 October 2017 Android and Pixel security bulletins by daroberts <daroberts@google.com>
  - 170543005 Add section highlighting latest version packages, downgra... by claym <claym@google.com>
  - 170533303 Fix fileencryption flag from Ruslan Piasetskyi by claym <claym@google.com>
  - 170497015 Temporarily excluding the architecture and VTS directories by daroberts <daroberts@google.com>
  - 170490636 Update CDD link and section number by claym <claym@google.com>
  - 170409254 Consolidate and fix binary links, add VNDK section to req... by claym <claym@google.com>
  - 170390746 Update android-base.cfg link. by cqn <cqn@google.com>
  - 170369057 Updated incorrect vendor reference. by Android Partner Docs <noreply@android.com>
  - 170353198 Make final list ordered now that we know all apply. by claym <claym@google.com>
  - 170246953 Fix flashing procedure description by Android Partner Docs <noreply@android.com>
  - 170203192 Adding titles for resources, fixing links, minor text twe... by hvm <hvm@google.com>
  - 170113678 Fix ambigious profile reference by claym <claym@google.com>
  - 170113463 researcher acknowledgment update by Android Partner Docs <noreply@android.com>
  - 170100609 Adding definition for DRM. by hvm <hvm@google.com>
  - 170099262 Add link to /git-repo/+/master/docs/manifest-format.txt by claym <claym@google.com>
  - 170098404 Fix Site Feedback link by claym <claym@google.com>
  - 170088099 Add Help this Site plea to home page About statement by claym <claym@google.com>
  - 170066318 Fixing uncapitalized start of sentence. by hvm <hvm@google.com>

PiperOrigin-RevId: 170780545
Change-Id: I9b379d805b97eff2cc683746700cfb75282ffc4d

1 files changed, 62 insertions, 62 deletions

diff --git a/en/security/selinux/index.html b/en/security/selinux/index.html
index f45d517d..e5ad9a12 100644
--- a/en/security/selinux/index.html
+++ b/en/security/selinux/index.html
@@ -39,83 +39,83 @@ security model</a>, Android uses SELinux to enforce mandatory access control
 (a.k.a. Linux capabilities). SELinux enhances Android security by confining
 privileged processes and automating security policy creation.</p>
 
-<p>Contributions to it have been made by a number
-of companies and organizations; all Android code
-and contributors are publicly available for review on <a
-href="https://android.googlesource.com/">android.googlesource.com</a>. With
-SELinux, Android can better protect and confine system services, control
-access to application data and system logs, reduce the effects of malicious
-software, and protect users from potential flaws in code on mobile devices.</p>
-
-<p>Android includes SELinux in enforcing mode and a
-corresponding security policy that works by default across the <a
-href="https://android.googlesource.com/">Android Open Source Project</a>. In
-enforcing mode, illegitimate actions are prevented and all attempted violations
-are logged by the kernel to <code>dmesg</code> and <code>logcat</code>. Android
-device manufacturers should gather information about errors so they may
-refine their software and SELinux policies before enforcing them.</p>
+<p>Many companies and organizations have contributed to SELinux; their
+contributions are publicly available for review on
+<a href="https://android.googlesource.com/" class="external">android.googlesource.com</a>,
+aka the Android Open Source Project (AOSP). With SELinux, Android can better
+protect and confine system services, control access to application data and
+system logs, reduce the effects of malicious software, and protect users from
+potential flaws in code on mobile devices.</p>
+
+<p>Android includes SELinux in enforcing mode and a corresponding security
+policy that works by default across AOSP. In enforcing mode, illegitimate
+actions are prevented and all attempted violations are logged by the kernel to
+<code>dmesg</code> and <code>logcat</code>. Android device manufacturers should
+gather information about errors so they may refine their software and SELinux
+policies before enforcing them.</p>
 
 <h2 id=background>Background</h2>
+<p>SELinux operates on the ethos of default denial: Anything not explicitly
+allowed is denied. SELinux can operate in one of two global modes:</p>
+<ul>
+<li><em>Permissive</em> mode, in which permission denials are logged but not
+enforced.</li>
+<li><em>Enforcing</em> mode, in which permissions denials are both logged
+<strong>and</strong> enforced.</li>
+</ul>
 
-<p>SELinux operates on the ethos of default denial. Anything that is not
-explicitly allowed is denied. SELinux can operate in one of two global modes:
-permissive mode, in which permission denials are logged but not enforced, and
-enforcing mode, in which denials are both logged and enforced. SELinux also
-supports a per-domain permissive mode in which specific domains (processes) can
-be made permissive while placing the rest of the system in global enforcing
-mode. A domain is simply a label identifying a process or set of processes in
-the security policy, where all processes labeled with the same domain are
-treated identically by the security policy. Per-domain permissive mode enables
-incremental application of SELinux to an ever-increasing portion of the system.
-Per-domain permissive mode also enables policy development for new services
-while keeping the rest of the system enforcing.</p>
-
-<p>In the Android 5.0 (L) release, Android moves to full enforcement of
-SELinux. This builds upon the permissive release of 4.3 and the partial
-enforcement of 4.4. In short, Android is shifting from enforcement on a
-limited set of crucial domains (<code>installd</code>, <code>netd</code>,
-<code>vold</code> and <code>zygote</code>) to everything (more than 60
-domains). This means manufacturers will have to better understand and scale
-their SELinux implementations to provide compatible devices. Understand
-that:</p>
-
+<p>SELinux also supports a <em>per-domain permissive</em> mode in which specific
+domains (processes) can be made permissive while placing the rest of the system
+in global enforcing mode. A domain is simply a label identifying a process or set
+of processes in the security policy, where all processes labeled with the same
+domain are treated identically by the security policy. Per-domain permissive
+mode enables incremental application of SELinux to an ever-increasing portion of
+the system and policy development for new services (while keeping the rest of
+the system enforcing).</p>
+
+<p>The Android 5.0 release moved to full enforcement of SELinux, building on the
+permissive release of Android 4.3 and the partial enforcement of Android 4.4.
+With this change, Android shifted from enforcement on a limited set of crucial
+domains (<code>installd</code>, <code>netd</code>, <code>vold</code> and
+<code>zygote</code>) to everything (more than 60 domains). Specifically:</p>
 
 <ul>
-<li>Everything is in enforcing mode in the 5.0 release</li>
-<li> No processes other than <code>init</code> should run in the
-<code>init</code> domain</li>
-<li> Any generic denial (for a block_device, socket_device, default_service,
-etc.) indicates that device needs a special domain</li>
+<li>Everything is in enforcing mode in Android 5.x and higher.</li>
+<li>No processes other than <code>init</code> should run in the
+<code>init</code> domain.</li>
+<li>Any generic denial (for a <code>block_device</code>,
+<code>socket_device</code>, <code>default_service</code>, etc.) indicates that
+device needs a special domain.</li>
 </ul>
+<p>As a result, manufacturers need to better understand and scale their SELinux
+implementations to provide compatible devices.</p>
 
-<h2 id=supporting_documentation>Supporting documentation</h2>
+<h2 id=supporting_documentation>Additional resources</h2>
 
-<p>See the documentation below for details on constructing useful policies:</p>
+<p>For help constructing useful SELinux policies, refer to the following
+resources:</p>
 
-<p><a href="https://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf">
-https://events.linuxfoundation.org/sites/events/files/slides/
-abs2014_seforandroid_smalley.pdf</a></p>
+<ul><li><a href="https://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf" class="external">
+Security Enhancements for Linux</a></li>
 
-<p><a href="https://www.internetsociety.org/sites/default/files/02_4.pdf">
-https://www.internetsociety.org/sites/default/files/02_4.pdf</a></p>
+<li><a href="http://www.cs.columbia.edu/~lierranli/coms6998-7Spring2014/papers/SEAndroid-NDSS2013.pdf" class="external">
+Security Enhanced (SE) Android: Bringing Flexible MAC to Android</a></li>
 
-<p><a href="http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf">
-http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf</a></p>
+<li><a href="http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf" class="external">
+The SELinux Notebook, 4th Edition</a></li>
 
-<p><a href="http://selinuxproject.org/page/ObjectClassesPerms">
-http://selinuxproject.org/page/ObjectClassesPerms</a></p>
+<li><a href="http://selinuxproject.org/page/ObjectClassesPerms" class="external">
+SELinux Object Classes and Permissions Reference</a></li>
 
-<p><a href="https://www.nsa.gov/resources/everyone/digital-media-center/publications/research-papers/assets/files/implementing-selinux-as-linux-security-module-report.pdf">
-https://www.nsa.gov/resources/everyone/digital-media-center/publications/
-research-papers/assets/files/
-implementing-selinux-as-linux-security-module-report.pdf</a></p>
+<li><a href="https://www.nsa.gov/resources/everyone/digital-media-center/publications/research-papers/assets/files/implementing-selinux-as-linux-security-module-report.pdf" class="external">
+Implementing SELinux as a Linux Security Module</a></li>
 
-<p><a href="https://www.nsa.gov/resources/everyone/digital-media-center/publications/research-papers/assets/files/configuring-selinux-policy-report.pdf">
-https://www.nsa.gov/resources/everyone/digital-media-center/publications/
-research-papers/assets/files/configuring-selinux-policy-report.pdf</a></p>
+<li><a href="https://www.nsa.gov/resources/everyone/digital-media-center/publications/research-papers/assets/files/configuring-selinux-policy-report.pdf" class="external">
+Configuring the SELinux Policy</a></li>
 
-<p><a href="https://www.gnu.org/software/m4/manual/index.html">
-https://www.gnu.org/software/m4/manual/index.html</a></p>
+<li><a href="https://www.gnu.org/software/m4/manual/index.html" class="external">
+GNU M4 - GNU Macro Processor Manual</a></li>
+</ul>
 
   </body>
 </html>