diff options
Diffstat (limited to 'en/security/selinux/device-policy.html')
| -rw-r--r-- | en/security/selinux/device-policy.html | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/en/security/selinux/device-policy.html b/en/security/selinux/device-policy.html index 82e6c4b1..6fe8b209 100644 --- a/en/security/selinux/device-policy.html +++ b/en/security/selinux/device-policy.html @@ -62,7 +62,9 @@ After modifying the command line, perform <code>make clean</code>, then <p>After that, confirm permissive mode with:</p> -<p><code>adb getenforce</code></p> +<pre class="devsite-terminal devsite-click-to-copy"> +adb getenforce +</pre> <p>Two weeks is a reasonable amount of time to be in global permissive mode. After @@ -104,7 +106,7 @@ scratch on a new device, which include:</p> <p>Denials generated by core services are typically addressed by file labeling. For example:</p> -<pre class="no-pretty-print"> +<pre> avc: denied { open } for pid=1003 comm=”mediaserver” path="/dev/kgsl-3d0” dev="tmpfs" scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 @@ -164,7 +166,7 @@ permissions.</p> <p>The service is launched in our device’s <code>init.<target>.rc</code> file as:</p> -<pre class="no-pretty-print"> +<pre class="devsite-click-to-copy"> service foo /system/bin/foo class core </pre> @@ -175,7 +177,7 @@ service foo /system/bin/foo <p>Create the file <code>device/<oem>/<target>/sepolicy/foo.te</code> with the following contents:</p> -<pre class="no-pretty-print"> +<pre class="devsite-click-to-copy"> # foo service type foo, domain; type foo_exec, exec_type, file_type; @@ -193,7 +195,7 @@ init_daemon_domain(foo) <p>Add the following to <code>device/<oem>/<target>/sepolicy/ file_contexts</code>:</p> -<pre class="no-pretty-print"> +<pre class="devsite-click-to-copy"> /system/bin/foo u:object_r:foo_exec:s0 </pre> @@ -231,7 +233,7 @@ device-specific policies.</p> <p>The following example rule is like locking the front door but leaving the windows open:</p> -<p><code>allow { domain -untrusted_app } scary_debug_device:chr_file rw_file_perms</code>.</p> +<pre>allow { domain -untrusted_app } scary_debug_device:chr_file rw_file_perms</pre> <p>The intent is clear: everyone but third-party apps may have access to the debug device. </p> |