Using supolicy questions



  • If there were a category called "Using SuperSU" I would put this there. This seems the best of the choices available. So please understand...

    I am trying to make my root app work under Nougat with SELinux enforcement enabled. After reading Chainfire's How To SU document, I am trying to use the supolicy --live command. But I am still having no joy.

    So I have a couple questions:

    (a) Does the supolicy command have any effect outside of the su shell in which it is executed? If I issue supolicy in a root shell that completes are the requested policy changes still in effect so that java code in my app can do things without being blocked?

    (b) If the answer to (a) is YES, they do live beyond the life of the su shell issuing the supolicy command, what is the lifespan of the changes made by the supolicy command? Do they revert upon reboot?

    (c) If the answer to (a) is YES, how do I best revert the changes I have made with the supolicy command?

    (d) In the examples where the audit record shows "scontext=u:r:sdcardd:s0 tcontext=u:object_r:unlabeled:s0", it seems that only the "sdcardd" and "unlabled" are being used with the suploicy command. In the audit record I am trying to work-around, I have "scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data". So I am using only "untrusted_app" and "app_data" in my supolicy command (that isn't yielding any change I can see). Should I be using more of the data shown for scontext and/or tconext?

    (e) In the use caution section, I read "As a rule of thumb, if you're adding allow policies with an *_app class as either source or target class, you're very likely to be doing something you shouldn't, and you should tread carefully." Sadly this is what I am trying to do and it does feel wrong to me. But I am not sure what else I should try as an alternative. Can someone provide an alternative? Here is the full audit line that is breaking my app:

    01-28 13:05:03.481 W/com.whitedavidp.hideupdatesinplaystore(6370): type=1400 audit(0.0:294): avc: denied { open } for comm=4173796E635461736B202334 path="/data/data/com.whitedavidp.hideupdatesinplaystore/cache/databases/library.db" dev="sda35" ino=2180004 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0

    Thanks so much for any clarification you can provide. Cheers!


 

Looks like your connection to SuperSU forum-where rooting fans gather was lost, please wait while we try to reconnect.