I‘m trying to do the Android SElinux implementation, For the files, I could define file selinux security context with the flie_contexts file , Say I was adding a /system/bin/mymodule file, So I could sign it's scontext with add it to /system/sepolicy/private/flie_contexts, But what if the process's selinux security context, I can't find somewhere I could simply define them
I know the process security context was inherited by its parent process, But Is there any mechanism I could force setting process security context just like the file?
Any Insight?
There are two things you need to do:
1. Define a Context
Let's assume you want to create a custom context called np_mybinary for your binary.
This is what your .te file will have to contain:
type np_mybinary, domain;
type np_mybinary_exec, exec_type, vendor_file_type, file_type;
This is what your file_contexts file will have to contain:
/system/bin/mymodule u:object_r:np_mybinary_exec:s0
2. Define a Transition
You need to define the transition from the parent process context to np_mybinary_exec.
domain_auto_trans(<parent-context>, np_mybinary_exec, np_mybinary)
If your process is started by init, there is a simple macro available:
init_daemon_domain(np_mybinary);