How process under android selinux context was labeled？

Question

I'm trying to do the Android SElinux implementation , For the files, I could define file selinux security context with the flie_contexts file , Say I was adding a /system/bin/mymodule file, So I could sign it's scontext with add it to /system/sepolicy/private/flie_contexts , But what if the process's selinux security context, I can't find somewhere I could simply define them

I know the process security context was inherited by its parent process, But Is there any mechanism I could force setting process security context just like the file?

Any Insight?

Answer 1

There are two things you need to do:

1. Define a Context

Let's assume you want to create a custom context called np_mybinary for your binary.

This is what your .te file will have to contain:

type np_mybinary, domain;
type np_mybinary_exec, exec_type, vendor_file_type, file_type;

This is what your file_contexts file will have to contain:

/system/bin/mymodule  u:object_r:np_mybinary_exec:s0

2. Define a Transition

You need to define the transition from the parent process context to np_mybinary_exec .

domain_auto_trans(<parent-context>, np_mybinary, np_mybinary_exec)

If your process is started by init, there is a simple macro available:

init_daemon_domain(np_mybinary);