简体繁体 English

在GenyMotion虚拟设备上与SELinux进行交互

[英]Interact with SELinux on GenyMotion Virtual Device

原文 2018-12-15 19:03:40 4 2 android/ selinux

I read a lot about SELinux, and I would have liked to try and get my hands on a case study for the university. 我读了很多关于SELinux的文章，并且我想尝试着为大学做一个案例研究。 I have installed various virtual devices on GenyMotion, from Android 6 to Android 9, but nobody owns SElinux: when I do "sestatus" it answers "disabled". 我已经在GenyMotion上安装了各种虚拟设备，从Android 6到Android 9，但是没有人拥有SElinux：当我执行“ sestatus”时，它会回答“ disabled”。 I do not think it's enough to enable it, it seems that the modules must be installed in the kernel, can someone tell me how to do it? 我认为启用它还不够，似乎必须将模块安装在内核中，有人可以告诉我该怎么做吗？ I tried but I did not find anything, I'm having a lot of difficulties, it's the first time I do these things. 我尝试过，但是没有找到任何东西，我遇到很多困难，这是我第一次做这些事情。 Thanks to everyone in advance. 预先感谢大家。

2 个解决方案

Finally I managed to make everything work: I was able to access Selinux information via a terminal in the GenyMotion virtual device. 最终，我设法使一切正常：我能够通过GenyMotion虚拟设备中的终端访问Selinux信息。 Selinux is already active on devices after version 4.3, there is no need to install it as it said @Martin Zeitler. Selinux在版本4.3之后的设备上已经处于活动状态，无需安装它，因为它表示为@Martin Zeitler。 I explain the solution to the problem (on Linux it works). 我解释了该问题的解决方案（在Linux上有效）。

The first thing to do is to install a terminal in the virtual device: I have installed Termux. 要做的第一件事是在虚拟设备中安装终端：我已经安装了Termux。 To do this, just download the apk from a site and drag it to the virtual device, the installation will start. 为此，只需从站点下载apk并将其拖动到虚拟设备，即可开始安装。 Subsequently, it is necessary to provide the SuperUser permissions to the Termux terminal: banally, by opening the terminal, provide the SU command, and the device will ask you if you want to provide SuperUser permissions to the Termux application. 随后，有必要向Termux终端提供SuperUser权限：通常，通过打开终端，提供SU命令，然后设备会询问您是否要向Termux应用程序提供SuperUser权限。 When you enter the SU command, it will allow you to browse the folders on your device. 输入SU命令时，它将允许您浏览设备上的文件夹。 With the "ls" command, providing the "-Z" option, you can see the SElinux context of the files. 使用“ ls”命令（提供“ -Z”选项），您可以看到文件的SElinux上下文。 From the terminal, using the "getenforce" command, you can see how Selinux is running. 在终端上，使用“ getenforce”命令，可以查看Selinux的运行方式。 Here you will see other useful commands: https://www.all-things-android.com/content/se-android-commands 在这里，您将看到其他有用的命令： https : //www.all-things-android.com/content/se-android-commands
Now, you will need to download the tool that allows us to interact with Selinux: setools. 现在，您将需要下载允许我们与Selinux交互的工具：setools。 https://github.com/pasis/setools-android These tools are written in C, the native language of Android, so you need to download the NDK library to compile them: https://developer.android.com/ndk/downloads/ https://github.com/pasis/setools-android这些工具是用C（Android的本地语言）编写的，因此您需要下载NDK库进行编译： https : //developer.android.com/ndk/下载/
The first thing to do to compile, is to specify the project path: export NDK_PROJECT_PATH=/my/project/path . 编译的第一件事是指定项目路径：export NDK_PROJECT_PATH = / my / project / path。 The second step is to specify the makefile: ndk-build NDK_APPLICATION_MK=/my/project/Makefile.am (for a complete guide: https://software.intel.com/en-us/articles/building-an-android-command-line-application-using-the-ndk-build-tools ) 第二步是指定生成文件：ndk-build NDK_APPLICATION_MK = / my / project / Makefile.am（有关完整指南，请访问： https ://software.intel.com/zh-cn/articles/building-an-android- 命令行应用程序使用ndk构建工具）
When you have finished compiling, you can send the Setools folder to the virtual device, using the adb program. 完成编译后，可以使用adb程序将Setools文件夹发送到虚拟设备。 ./adb push /setool/local/folder /remote/device/folder (example: ./adb /setool /tmp) Now that you have Setool on your device, you can run the tools in the "/setool/obj/local/x86" folder. ./adb push / setool / local / folder / remote / device / folder（例如：./adb / setool / tmp）现在您已经在设备上安装了Setool，可以在“ / setool / obj / local”中运行这些工具/ x86“文件夹。 Thanks to "sepolicy-inject" you can also add rules to the policies. 借助“ sepolicy-inject”，您还可以将规则添加到策略中。

Finally, thanks to this guide I realized that Selinux policies are stored in binary format, so it is not possible to interact with them without tools. 最后，由于有了本指南，我才意识到Selinux策略是以二进制格式存储的，因此没有工具就无法与它们进行交互。 https://ge0n0sis.github.io/posts/2015/12/exploring-androids-selinux-kernel-policy/ https://ge0n0sis.github.io/posts/2015/12/exploring-androids-selinux-kernel-policy/

one cannot "install SE Linux" on Android; 一个不能在Android上“安装SE Linux”； because it's already installed and enabled by default since API level 21. you'd need to become user root , in order to access these management commands. 因为自API级别21开始已经默认安装和启用它，所以您需要成为root用户才能访问这些管理命令。 this would only be possible on a rooted hardware device - or a rooted emulator image. 仅在有根的硬件设备或有根的仿真器映像上才有可能。

... just install CentOS or whatever else security enabled Linux distribution, for a test. ...只需安装CentOS或任何其他启用安全性的Linux发行版进行测试。