目录拆分（未测试）

Signed-off-by: Qin Fandong <qinfd@superred.com.cn>

BUILD.gn

@@ -2,7 +2,7 @@ SELINUX_ROOT_DIR = "//base/security/selinux"
 
 ohos_executable("selinux_test") {
   install_enable = true
-  sources = [ "$SELINUX_ROOT_DIR/demo/demoloop.c" ]
+  sources = [ "$SELINUX_ROOT_DIR/test/selinux_test.c" ]
   cflags = [
     "-D_GNU_SOURCE",
     "-DUSE_PCRE2",
@@ -17,7 +17,7 @@ ohos_executable("selinux_test") {
 }
 
 action("build_policy") {
-  script = "demo/build_policy.sh"
+  script = "scripts/build_policy.sh"
   deps = [
     ":checkpolicy($host_toolchain)",
     ":secilc($host_toolchain)",
@@ -25,21 +25,21 @@ action("build_policy") {
   outputs = [ "$root_out_dir/" ]
 }
 
-ohos_prebuilt_etc("config") {
-  source = "$SELINUX_ROOT_DIR/demo/config"
+ohos_prebuilt_etc("build_sepolicy") {
+  deps = [ ":build_policy" ]
+  source = "$SELINUX_ROOT_DIR/sepolicy/policy.31"
   part_name = "selinux"
-  relative_install_dir = "selinux"
+  relative_install_dir = "selinux/targeted/policy/"
 }
 
-ohos_prebuilt_etc("precompiled_sepolicy") {
-  deps = [ ":build_policy" ]
-  source = "$SELINUX_ROOT_DIR/demo/policy.31"
+ohos_prebuilt_etc("config") {
+  source = "$SELINUX_ROOT_DIR/config/config"
   part_name = "selinux"
-  relative_install_dir = "selinux/targeted/policy"
+  relative_install_dir = "selinux/"
 }
 
 ohos_prebuilt_etc("file_contexts") {
-  source = "$SELINUX_ROOT_DIR/demo/file_contexts"
+  source = "$SELINUX_ROOT_DIR/sepolicy/file_contexts"
   part_name = "selinux"
-  relative_install_dir = "selinux/targeted/contexts/files"
+  relative_install_dir = "selinux/targeted/contexts/files/"
 }

README.txt

@@ -0,0 +1,21 @@
+1. 同步 OpenHarmony 代码
+
+https://gitee.com/openharmony/docs/blob/master/zh-cn/device-dev/quick-start/quickstart-standard-package-environment.md
+
+按照步骤同步主线 L2 代码。
+
+
+2. 进行编译
+
+./build/prebuilts_download.sh
+./build.sh --product-name Hi3516DV300 --gn-args support_selinux=true
+
+
+3. 运行验证
+
+1) ls -lZ /         # 看标签是否成功
+2) ps -eZ           # 看标签是否成功
+3) setenforce 1     # 进行各种操作，观察是否被拦截，以及串口是否有 avc denied
+
+demoloop 命令暂时不验证。
+

config/config

@@ -0,0 +1 @@
+SELINUX=permissive

scripts/build_policy.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -ex
+
+CDIR=$(dirname $(readlink -f "$0"))
+RDIR=$(readlink -f "${CDIR}/../../../../")
+
+{
+  binary_dir="${RDIR}/out/ohos-arm-release/clang_x64/security/selinux/"
+  sepolicy_dir=$(readlink -f "${CDIR}/../sepolicy")
+
+  for product in 3516
+  do
+    command "${binary_dir}/checkpolicy" \
+      "${sepolicy_dir}/sepolicy.default.${product}.conf" \
+      -M -C -c 30 \
+      -o "${sepolicy_dir}/sepolicy.${product}.cil"
+
+    command "${binary_dir}/secilc" \
+      "${sepolicy_dir}/sepolicy.${product}.cil" \
+      -m -M true -G -c 30 -N \
+      -f /dev/null \
+      -o "${sepolicy_dir}/policy.${product}.31"
+  done
+
+  mv "${sepolicy_dir}/policy."{${product},}".31"
+}
+

sepolicy/.gitignore

@@ -0,0 +1,2 @@
+*.31
+*.cil

sepolicy/README.txt

@@ -1,34 +0,0 @@
-1. 同步 OpenHarmony 代码
-
-https://gitee.com/openharmony/docs/blob/master/zh-cn/device-dev/quick-start/quickstart-standard-package-environment.md
-
-按照步骤同步主线 L2 代码。
-
-
-2. 下载本仓库
-
-https://gitee.com/openharmony-sig/third_party_selinux.git -> third_party/selinux/
-
-
-3. 同步其他仓库
-
-productdefine/common/     <- https://gitee.com/hu-huifeng/productdefine_common.git
-third_party/toybox/       <- https://gitee.com/hu-huifeng/third_party_toybox.git
-base/security/permission/ <- https://gitee.com/hu-huifeng/security_permission.git
-base/startup/init_lite/   <- https://gitee.com/shell_way/startup_init_lite.git
-
-
-4. 进行编译
-
-./build/prebuilts_download.sh
-./build.sh --product-name Hi3516DV300
-
-
-5. 运行验证
-
-3) ls -lZ /         # 看标签是否成功
-4) ps -eZ           # 看标签是否成功
-5) setenforce 1     # 进行各种操作，观察是否被拦截，以及串口是否有 avc denied
-
-demoloop 命令暂时不验证。
-

sepolicy/build_policy.sh

@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-set -ex
-
-CDIR=$(dirname $(readlink -f "$0"))
-RDIR=$(readlink -f "${CDIR}/../../../")
-
-{
-  command "${RDIR}/out/ohos-arm-release/clang_x64/security/selinux/checkpolicy" \
-    -M -C -c 30 \
-    -o "${RDIR}/third_party/selinux/demo/test.cil" \
-    "${RDIR}/third_party/selinux/demo/sepolicy.default.3516.conf"
-
-  command "${RDIR}/out/ohos-arm-release/clang_x64/security/selinux/secilc" \
-    -m -M true -G -c 30 -N \
-    -f /dev/null \
-    -o "${RDIR}/third_party/selinux/demo/policy.31" \
-    "${RDIR}/third_party/selinux/demo/test.cil"
-}
-

sepolicy/config

@@ -1 +0,0 @@
-SELINUX=permissive

sepolicy/policy.31

@@ -1,3 +1,4 @@
-                                           README 
-    This file is needed by ohos_prebuilt_etc("precompiled_sepolicy") --> third_party/selinux/BUILD.gn
+! DO NOT DELETE THIS FILE !
+
+This needed by ohos_prebuilt_etc("precompiled_sepolicy") in ..//BUILD.gn
 

sepolicy/push.bat

@@ -1,43 +0,0 @@
-hdc_std.exe file send chkcon /bin/
-hdc_std.exe file send getenforce /bin/
-hdc_std.exe file send setenforce /bin/
-hdc_std.exe file send restorecon /bin/
-hdc_std.exe file send load_policy /bin/
-hdc_std.exe file send getfilecon /bin/
-hdc_std.exe file send setfilecon /bin/
-hdc_std.exe file send selinuxexeccon /bin/
-hdc_std.exe file send selinux_check_access /bin/
-hdc_std.exe file send getpidcon /bin/
-hdc_std.exe file send demoloop /bin/
-
-hdc_std.exe file send libload_policy.z.so /system/lib/
-hdc_std.exe file send librestorecon.z.so /system/lib/
-hdc_std.exe file send libpcre2.z.so /system/lib/
-hdc_std.exe file send libselinux.z.so /system/lib/
-hdc_std.exe file send libsepol.z.so /system/lib/
-
-hdc_std.exe shell mkdir -pv /etc/selinux/targeted/contexts/files/
-hdc_std.exe shell mkdir -pv /etc/selinux/targeted/policy/
-hdc_std.exe file send config /etc/selinux/config
-hdc_std.exe file send policy.31 /etc/selinux/targeted/policy/policy.31
-hdc_std.exe file send file_contexts /etc/selinux/targeted/contexts/files/file_contexts
-
-hdc_std.exe shell chmod -v 755 /bin/chkcon
-hdc_std.exe shell chmod -v 755 /bin/getenforce
-hdc_std.exe shell chmod -v 755 /bin/setenforce
-hdc_std.exe shell chmod -v 755 /bin/restorecon
-hdc_std.exe shell chmod -v 755 /bin/load_policy
-hdc_std.exe shell chmod -v 755 /bin/demoloop
-hdc_std.exe shell chmod -v 755 /bin/getfilecon
-hdc_std.exe shell chmod -v 755 /bin/setfilecon
-hdc_std.exe shell chmod -v 755 /bin/selinuxexeccon
-hdc_std.exe shell chmod -v 755 /bin/selinux_check_access
-hdc_std.exe shell chmod -v 755 /bin/getpidcon
-
-hdc_std.exe shell chmod -v 644 /system/lib/libload_policy.z.so
-hdc_std.exe shell chmod -v 644 /system/lib/librestorecon.z.so
-hdc_std.exe shell chmod -v 644 /system/lib/libpcre2.z.so
-hdc_std.exe shell chmod -v 644 /system/lib/libselinux.z.so
-hdc_std.exe shell chmod -v 644 /system/lib/libsepol.z.so
-hdc_std.exe shell chmod -v 644 /etc/selinux/targeted/policy/policy.31
-pause

sepolicy/push_demo.bat

@@ -1,3 +0,0 @@
-hdc_std.exe file send demoloop /bin/
-hdc_std.exe shell chmod 777 /bin/demoloop
-pause

sepolicy/push_demo_abcd.bat

@@ -1,5 +0,0 @@
-hdc_std.exe file send rmabcd.sh /bin/
-hdc_std.exe shell chmod 777 /bin/rmabcd.sh
-hdc_std.exe shell /bin/rmabcd.sh
-
-pause

sepolicy/push_toybox.bat

@@ -1,3 +0,0 @@
-hdc_std.exe file send toybox /bin/
-hdc_std.exe shell chmod -v 777 /bin/toybox
-pause

sepolicy/rmabcd.sh

@@ -1,9 +0,0 @@
-rm -f /data/abcd.txt
-rm -f /data/abcd2.txt
-rm -f /data/abcd3.txt
-echo abcd >/data/abcd.txt
-setfilecon 'u:object_r:data_file:s0' /data/abcd.txt
-echo abcd2 >/data/abcd2.txt
-setfilecon 'u:object_r:data_file:s0' /data/abcd2.txt
-echo abcd3 >/data/abcd3.txt
-setfilecon 'u:object_r:app_data_file:s0' /data/abcd3.txt

sepolicy/test.cil

@@ -1,286 +0,0 @@
-(role object_r)
-(role auditadm_r)
-(role secadm_r)
-(typeattribute cil_gen_require)
-(roleattribute cil_gen_require)
-(handleunknown deny)
-(mls true)
-(sid init)
-(sidcontext init (u object_r unlabeled ((s0) (s0))))
-(sid file_labels)
-(sidcontext file_labels (u object_r unlabeled ((s0) (s0))))
-(sid file)
-(sidcontext file (u object_r unlabeled ((s0) (s0))))
-(sid fs)
-(sidcontext fs (u object_r labeledfs ((s0) (s0))))
-(sid unlabeled)
-(sidcontext unlabeled (u object_r unlabeled ((s0) (s0))))
-(sid security)
-(sidcontext security (u object_r kernel ((s0) (s0))))
-(sid kernel)
-(sidcontext kernel (u r kernel ((s0) (s0))))
-(sidorder (kernel security unlabeled fs file file_labels init ))
-(fsuse xattr ext4 (u object_r labeledfs ((s0) (s0))))
-(genfscon rootfs / (u object_r rootfs ((s0) (s0))))
-(common cap (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap ))
-(common cap2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read ))
-(common ipc (create destroy getattr setattr read write associate unix_read unix_write ))
-(common socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind ))
-(common file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads ))
-(class security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy validate_trans ))
-(class process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit ))
-(mlsconstrain (process (transition dyntransition)) (or (and (eq h1 h2) (eq l1 l2)) (eq t1 mlstrustedsubject)))
-(class system (ipc_info syslog_read syslog_mod syslog_console module_request module_load ))
-(class capability ())
-(classcommon capability cap)
-(class filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch ))
-(class file (execute_no_trans entrypoint ))
-(classcommon file file)
-(class dir (add_name remove_name reparent search rmdir ))
-(classcommon dir file)
-(class fd (use ))
-(class lnk_file ())
-(classcommon lnk_file file)
-(class chr_file (execute_no_trans entrypoint ))
-(classcommon chr_file file)
-(class blk_file ())
-(classcommon blk_file file)
-(class sock_file ())
-(classcommon sock_file file)
-(class fifo_file ())
-(classcommon fifo_file file)
-(class socket ())
-(classcommon socket socket)
-(class tcp_socket (node_bind name_connect ))
-(classcommon tcp_socket socket)
-(class udp_socket (node_bind ))
-(classcommon udp_socket socket)
-(class rawip_socket (node_bind ))
-(classcommon rawip_socket socket)
-(class node (recvfrom sendto ))
-(class netif (ingress egress ))
-(class netlink_socket ())
-(classcommon netlink_socket socket)
-(class packet_socket ())
-(classcommon packet_socket socket)
-(class key_socket ())
-(classcommon key_socket socket)
-(class unix_stream_socket (connectto ))
-(classcommon unix_stream_socket socket)
-(class unix_dgram_socket ())
-(classcommon unix_dgram_socket socket)
-(class sem ())
-(classcommon sem ipc)
-(class msg (send receive ))
-(class msgq (enqueue ))
-(classcommon msgq ipc)
-(class shm (lock ))
-(classcommon shm ipc)
-(class ipc ())
-(classcommon ipc ipc)
-(class netlink_route_socket (nlmsg_read nlmsg_write nlmsg_readpriv ))
-(classcommon netlink_route_socket socket)
-(class netlink_tcpdiag_socket (nlmsg_read nlmsg_write ))
-(classcommon netlink_tcpdiag_socket socket)
-(class netlink_nflog_socket ())
-(classcommon netlink_nflog_socket socket)
-(class netlink_xfrm_socket (nlmsg_read nlmsg_write ))
-(classcommon netlink_xfrm_socket socket)
-(class netlink_selinux_socket ())
-(classcommon netlink_selinux_socket socket)
-(class netlink_audit_socket (nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit ))
-(classcommon netlink_audit_socket socket)
-(class netlink_dnrt_socket ())
-(classcommon netlink_dnrt_socket socket)
-(class association (sendto recvfrom setcontext polmatch ))
-(class netlink_kobject_uevent_socket ())
-(classcommon netlink_kobject_uevent_socket socket)
-(class appletalk_socket ())
-(classcommon appletalk_socket socket)
-(class packet (send recv relabelto forward_in forward_out ))
-(class key (view read write search link setattr create ))
-(class dccp_socket (node_bind name_connect ))
-(classcommon dccp_socket socket)
-(class memprotect (mmap_zero ))
-(class peer (recv ))
-(class capability2 ())
-(classcommon capability2 cap2)
-(class kernel_service (use_as_override create_files_as ))
-(class tun_socket (attach_queue ))
-(classcommon tun_socket socket)
-(class binder (impersonate call set_context_mgr transfer ))
-(class netlink_iscsi_socket ())
-(classcommon netlink_iscsi_socket socket)
-(class netlink_fib_lookup_socket ())
-(classcommon netlink_fib_lookup_socket socket)
-(class netlink_connector_socket ())
-(classcommon netlink_connector_socket socket)
-(class netlink_netfilter_socket ())
-(classcommon netlink_netfilter_socket socket)
-(class netlink_generic_socket ())
-(classcommon netlink_generic_socket socket)
-(class netlink_scsitransport_socket ())
-(classcommon netlink_scsitransport_socket socket)
-(class netlink_rdma_socket ())
-(classcommon netlink_rdma_socket socket)
-(class netlink_crypto_socket ())
-(classcommon netlink_crypto_socket socket)
-(class infiniband_pkey (access ))
-(class infiniband_endport (manage_subnet ))
-(class cap_userns ())
-(classcommon cap_userns cap)
-(class cap2_userns ())
-(classcommon cap2_userns cap2)
-(class sctp_socket (node_bind name_connect association ))
-(classcommon sctp_socket socket)
-(class icmp_socket (node_bind ))
-(classcommon icmp_socket socket)
-(class ax25_socket ())
-(classcommon ax25_socket socket)
-(class ipx_socket ())
-(classcommon ipx_socket socket)
-(class netrom_socket ())
-(classcommon netrom_socket socket)
-(class atmpvc_socket ())
-(classcommon atmpvc_socket socket)
-(class x25_socket ())
-(classcommon x25_socket socket)
-(class rose_socket ())
-(classcommon rose_socket socket)
-(class decnet_socket ())
-(classcommon decnet_socket socket)
-(class atmsvc_socket ())
-(classcommon atmsvc_socket socket)
-(class rds_socket ())
-(classcommon rds_socket socket)
-(class irda_socket ())
-(classcommon irda_socket socket)
-(class pppox_socket ())
-(classcommon pppox_socket socket)
-(class llc_socket ())
-(classcommon llc_socket socket)
-(class can_socket ())
-(classcommon can_socket socket)
-(class tipc_socket ())
-(classcommon tipc_socket socket)
-(class bluetooth_socket ())
-(classcommon bluetooth_socket socket)
-(class iucv_socket ())
-(classcommon iucv_socket socket)
-(class rxrpc_socket ())
-(classcommon rxrpc_socket socket)
-(class isdn_socket ())
-(classcommon isdn_socket socket)
-(class phonet_socket ())
-(classcommon phonet_socket socket)
-(class ieee802154_socket ())
-(classcommon ieee802154_socket socket)
-(class caif_socket ())
-(classcommon caif_socket socket)
-(class alg_socket ())
-(classcommon alg_socket socket)
-(class nfc_socket ())
-(classcommon nfc_socket socket)
-(class vsock_socket ())
-(classcommon vsock_socket socket)
-(class kcm_socket ())
-(classcommon kcm_socket socket)
-(class qipcrtr_socket ())
-(classcommon qipcrtr_socket socket)
-(class smc_socket ())
-(classcommon smc_socket socket)
-(class process2 (nnp_transition nosuid_transition ))
-(class bpf (map_create map_read map_write prog_load prog_run ))
-(class xdp_socket ())
-(classcommon xdp_socket socket)
-(class perf_event (open cpu kernel tracepoint read write ))
-(class lockdown (integrity confidentiality ))
-(classorder (security process system capability filesystem file dir fd lnk_file chr_file blk_file sock_file fifo_file socket tcp_socket udp_socket rawip_socket node netif netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket sem msg msgq shm ipc netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket association netlink_kobject_uevent_socket appletalk_socket packet key dccp_socket memprotect peer capability2 kernel_service tun_socket binder netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket infiniband_pkey infiniband_endport cap_userns cap2_userns sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket process2 bpf xdp_socket perf_event lockdown ))
-(role r)
-(roletype r domain)
-(typeattribute dev_type)
-(typeattribute domain)
-(typeattributeset domain (init untrusted_app kernel ))
-(typeattribute fs_type)
-(typeattributeset fs_type (labeledfs rootfs ))
-(typeattribute file_type)
-(typeattributeset file_type (app_data_file init_exec unlabeled ))
-(typeattribute data_file_type)
-(expandtypeattribute (data_file_type) false)
-(typeattributeset data_file_type (app_data_file ))
-(typeattribute mlstrustedsubject)
-(typeattributeset mlstrustedsubject (init untrusted_app kernel ))
-(typeattribute mlstrustedobject)
-(typeattribute appdomain)
-(typeattribute untrusted_app_all)
-(type app_data_file)
-(roletype object_r app_data_file)
-(type init)
-(roletype object_r init)
-(type untrusted_app)
-(roletype object_r untrusted_app)
-(type init_exec)
-(roletype object_r init_exec)
-(type kernel)
-(roletype object_r kernel)
-(type labeledfs)
-(roletype object_r labeledfs)
-(type rootfs)
-(roletype object_r rootfs)
-(type unlabeled)
-(roletype object_r unlabeled)
-(user u)
-(userrole u object_r)
-(userrole u r)
-(userlevel u (s0 ))
-(userrange u ((s0 ) (s0 (range c0 c10))))
-(sensitivity s0)
-(sensitivitycategory s0 (c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 ))
-(sensitivityorder (s0 ))
-(category c0)
-(category c1)
-(category c2)
-(category c3)
-(category c4)
-(category c5)
-(category c6)
-(category c7)
-(category c8)
-(category c9)
-(category c10)
-(categoryorder (c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 ))
-(allow kernel unlabeled (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint)))
-(allow kernel unlabeled (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)))
-(allow kernel unlabeled (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint)))
-(allow kernel unlabeled (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)))
-(allow kernel unlabeled (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)))
-(allow kernel unlabeled (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)))
-(allow kernel unlabeled (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir)))
-(allow untrusted_app rootfs (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir)))
-(allow untrusted_app unlabeled (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir)))
-(allow kernel app_data_file (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint)))
-(allow kernel kernel (unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow kernel rootfs (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir)))
-(allow kernel kernel (netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow kernel kernel (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
-(allow kernel kernel (binder (impersonate call set_context_mgr transfer)))
-(allow untrusted_app unlabeled (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint)))
-(allow untrusted_app untrusted_app (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
-(allow untrusted_app untrusted_app (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint)))
-(allow untrusted_app untrusted_app (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir)))
-(allow untrusted_app unlabeled (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)))
-(allow untrusted_app unlabeled (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint)))
-(allow untrusted_app kernel (fd (use)))
-(allow kernel untrusted_app (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
-(allow kernel kernel (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint)))
-(allow kernel kernel (capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(allow rootfs labeledfs (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch)))
-(allow kernel kernel (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)))
-(allow kernel labeledfs (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch)))
-(allow kernel kernel (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir)))
-(allow kernel unlabeled (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch)))
-(allow untrusted_app app_data_file (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint)))
-(allow app_data_file labeledfs (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch)))
-(allow unlabeled labeledfs (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch)))
-(allow kernel kernel (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow kernel kernel (security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy validate_trans)))

test/README.txt

@@ -0,0 +1 @@
+首先运行 .bat 把文件推上去，然后在终端中运行 selinux_test 。

test/selinux_test_helper.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+TDIR="/data/selinux/"
+
+{
+  mkdir -pv "$TDIR"
+
+  for file in "${TDIR}/"test{1,2,3}.txt
+  do
+    rm -vf "$file"
+    echo "$file" >"$file"
+
+    if [[ "test3.txt" == "$file" ]]
+    then
+      setfilecon 'u:object_r:app_data_file:s0' "$file"
+    else
+      setfilecon 'u:object_r:data_file:s0' "$file"
+    fi
+  done
+}

test/selinux_test_helper_push.bat

@@ -0,0 +1,8 @@
+hdc_std.exe file send selinux_test /bin/
+hdc_std.exe shell chmod 755 /bin/selinux_test
+
+hdc_std.exe file send selinux_test_helper.sh /bin/
+hdc_std.exe shell chmod 755 /bin/selinux_test_helper.sh
+hdc_std.exe shell /bin/selinux_test_helper.sh
+
+pause