SELinux Learning

SELinux Project

http://selinuxproject.org/page/NB_SEforAndroid_1

Breaking the Ice with SELinux

http://billauer.co.il/selinux-policy-module-howto.html

A step-by-step guide to building a new SELinux policy module

http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/

Writing SE Linux policy HOWTO

http://www.lurking-grue.org/writingselinuxpolicyHOWTO.html

The Guide to Writing SELinux Policy

http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index.html

CentOS - SELinux HowTos

http://wiki.centos.org/HowTos/SELinux

Fedora - SELinux

http://fedoraproject.org/wiki/SELinux

Gentoo - How is the policy provided and loaded

http://wiki.gentoo.org/wiki/SELinux/Tutorials/How_is_the_policy_provided_and_loaded

The_SELinux_Notebook_The_Foundations_3rd_Edition

http://www.freetechbooks.com/efiles/selinuxnotebook/The_SELinux_Notebook_The_Foundations_3rd_Edition.pdf

Development of Embedded SELinux

http://elinux.org/images/a/a3/ELC2008_nakamura.pdf

========================================================================

Securing Android-Powered Mobile Devices Using SELinux

(http://eshare.stust.edu.tw/EshareFile/2012_1/2012_1_ccb34548.pdf)

Integrating SELinux in Android

1) Android Doesn’t Support SELinux 

    – Selinux disabled in the Linux kernel 

        • requires a rooted device 

2) Android Doesn’t Have a Method or Tool for Loading the SELinux Policy 

    – Not loading the policy on boot or init process

        • added three new commands to init.rc 

    – Loadpolicy 、chcon 、context 

3) Creating a Custom SELinux Policy for Android 

    – The default SELinux reference policy is irrelevant on Android:

        • it assumes a Linux standard base layout

        • it’s too big for an embedded system. 

    – Solutions

        • construct a policy without using the reference policy .

        • Remove irrelevant modules (Apache)

4) Android’s File System Doesn’t Support Extended Attributes 

    – yaffs2 doesn’t support extended attributes (xattrs)

        • used the chcon command to set xattrs on memory file systems.

5) It’s Difficult to Apply SELinux Policy to Dalvik Processes 

    – Dalvik limits SELinux’s applicability 

        • altering the zygote code

Steps in Porting SELinux to Android 

– 1. compile kernel with selinux support

– 2. design an Android-specific security policy

– 3.Modify the init process code and init.rc script to support additional commands to load the policy at system startup and set initial labels. 

– 4. Build a new disk image containing the updated init and policy files and updated it on the 

device.

The evaluation tools

– bonnie++

• file system and disk performance benchmark

– Lmbench

• a set of microbenchmarks for low-level Linux functionalities 

Benchmarking

I/O bandwidth、latency、CPU consumption、memory footprint.

将LMbench移植到Android上
http://blog.csdn.net/yiyaaixuexi/article/details/8664957

SELinux Policy Editor
http://seedit.sourceforge.net/