diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2012-11-02 15:22:34 -0400 |
---|---|---|
committer | Ricardo Cerqueira <cyanogenmod@cerqueira.org> | 2013-07-18 20:38:39 +0100 |
commit | 7db7210d2685b136d03cf49f2574e78ded5436e7 (patch) | |
tree | 05632c5de555ef9c709922d08d6ca8c40903d741 | |
parent | 584184911e3040bade4695d58ea5a3179406be51 (diff) | |
download | system_core-7db7210d2685b136d03cf49f2574e78ded5436e7.zip system_core-7db7210d2685b136d03cf49f2574e78ded5436e7.tar.gz system_core-7db7210d2685b136d03cf49f2574e78ded5436e7.tar.bz2 |
Document the SELinux extensions to the Android init language.
Change-Id: I9b066e0789c93e5147c28a60baeed91c44dd9359
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
-rw-r--r-- | init/readme.txt | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/init/readme.txt b/init/readme.txt index f674db8..55afdd7 100644 --- a/init/readme.txt +++ b/init/readme.txt @@ -88,6 +88,13 @@ group <groupname> [ <groupname> ]* supplemental groups of the process (via setgroups()). Currently defaults to root. (??? probably should default to nobody) +seclabel <securitycontext> + Change to securitycontext before exec'ing this service. + Primarily for use by services run from the rootfs, e.g. ueventd, adbd. + Services on the system partition can instead use policy-defined transitions + based on their file security context. + If not specified and no transition is defined in policy, defaults to the init context. + oneshot Do not restart the service when it exits. @@ -182,6 +189,21 @@ mount <type> <device> <dir> [ <mountoption> ]* device by name. <mountoption>s include "ro", "rw", "remount", "noatime", ... +restorecon <path> + Restore the file named by <path> to the security context specified + in the file_contexts configuration. + Not required for directories created by the init.rc as these are + automatically labeled correctly by init. + +setcon <securitycontext> + Set the current process security context to the specified string. + This is typically only used from early-init to set the init context + before any other process is started. + +setenforce 0|1 + Set the SELinux system-wide enforcing status. + 0 is permissive (i.e. log but do not deny), 1 is enforcing. + setkey TBD @@ -191,6 +213,10 @@ setprop <name> <value> setrlimit <resource> <cur> <max> Set the rlimit for a resource. +setsebool <name>=<value> + Set SELinux boolean <name> to <value>. + <value> may be 1|true|on or 0|false|off + start <service> Start a service running if it is not already running. |