Configuring an OpenHarmony SELinux Policy for a Process
Native Process
Scenario
Configure a policy for a native process incubated by init or chipset_init through the configuration file, for example, ueventd and installs.
Procedure
-
In the configuration file of the process, add the secon field to configure the mapping between the process and the label. If the secon field is not configured, the process will be intercepted when SELinux is enabled.
{ "services" : [{ "name" : "demo", "path" : ["/system/bin/demo"], "uid" : "demo", "gid" : ["demo"], "secon" : "u:r:demo:s0" } ] } -
In the type.te file, define the SELinux type demo in SELinux tag u:r:demo:s0 to make u:r:demo:s0 valid.
If demo is incubated by init, set it as follows:
type demo, native_system_domain, domain;If demo is incubated by chipset_init, set it as follows:
type demo, native_chipset_domain, domain;
SA Process
Scenario
Configure a policy for an SA process incubated by init through the configuration file, for example, accountmgr and foundation.
Procedure
- In the configuration file of the process, add the secon field to configure the mapping between the process and the label. If the secon field is not configured, the process will be intercepted when SELinux is enabled.
{ "services" : [{ "name" : "demo", "path" : ["/system/bin/sa_main", "/system/profile/demo.json"], "uid" : "demo", "gid" : ["demo"], "secon" : "u:r:demo:s0" } ] } - In the type.te file, define the SELinux type demo in SELinux tag u:r:demo:s0 to make u:r:demo:s0 valid.
type demo, sadomain, domain;
HDF Service Process
Scenario
Configure a policy for an HDF service process incubated by init or chipset_init through the configuration file, for example, wifi_host and camera_host.
Procedure
-
In the configuration file of the process, add the secon field to configure the mapping between the process and the label. If the secon field is not configured, the process will be intercepted when SELinux is enabled.
{ "services" : [{ "name" : "demo", "path" : ["/vendor/bin/hdf_devhost", "0", "demo"], "uid" : "demo", "gid" : ["demo"], "secon" : "u:r:demo:s0" } ] } -
In the type.te file, define the SELinux type demo in SELinux tag u:r:demo:s0 to make u:r:demo:s0 valid.
type demo, hdfdomain, domain;
Application Process
Scenario
Configure a policy for a system application process incubated by appspawn, for example, com.ohos.permissionmanager, to make it run with an independent label.
Procedure
-
In the sehap_contexts file, define the mappings between the application APL, bundle name and application process label, and data directory label.
For example, the application APL is normal, and the bundle name is com.ohos.permissionmanager. Then, the data directory label of the application is u:object_r:permissionmanager_hap_data_file:s0, and the process label of the application in running is u:r:permissionmanager_hap:s0.
apl=normal name=com.ohos.permissionmanager domain=permissionmanager_hap type=permissionmanager_hap_data_fileFor details about the APL, see Application APL.
-
Define permissionmanager_hap and permissionmanager_hap_data_file in type.te to make u:r:permissionmanager_hap:s0 and u:object_r:permissionmanager_hap_data_file:s0 valid.
type permissionmanager_hap, normal_hap_attr, hap_domain, domain; type permissionmanager_hap_data_file, normal_hap_data_file_attr, hap_file_attr, data_file_attr, file_attr;In this example, the application APL is normal. The following table lists the reference configuration for applications of different APLs.
Table 1 Mappings between APLs and application attributes
| APL | Application Process Attribute | Application Data Directory Attribute |
|---|---|---|
| normal | normal_hap_attr | normal_hap_data_file_attr |
| system_basic | system_basic_hap_attr | system_basic_hap_data_file_attr |
| system_core | system_core_hap_attr | system_core_hap_data_file_attr |