selinux android setool 工具

http://wenku.baidu.com/view/e77d19fc770bf78a65295465.html

setool --build whitelist /tmp/com.dianxinos.powermanager.apk
<signer signature="30820257308201c0a00302010202044e0bf751300d06092a864886f70d0101050500306f310b300906035504061302434e3110300e060355040813074265696a696e673110300e060355040713074265696a696e6731153013060355040a130c5461706173204d6f62696c6531153013060355040b130c5461706173204d6f62696c65310e300c0603550403130554617061733020170d3131303633303034313035375a180f32303636303430323034313035375a306f310b300906035504061302434e3110300e060355040813074265696a696e673110300e060355040713074265696a696e6731153013060355040a130c5461706173204d6f62696c6531153013060355040b130c5461706173204d6f62696c65310e300c06035504031305546170617330819f300d06092a864886f70d010101050003818d003081890281810090709a7ba3523bacbe12efb228ce2edc95a251ab2c1e5be450b9fa3ceac6ba78496c5230950a7f43ee799bd19767d2fb0cde0863f04cdd6593046456118ce394c87a07a347912a6a708294c6c9f0c1ed8d83987e361012198df6b8b356f9488cbd12b38086a10a42f8c587c58c92eb7d38f686daadc36a5719e08e05834f1a610203010001300d06092a864886f70d0101050500038181001ca6c275bdca8610f87511d890f003fc7f3cd5ba7cee57342b543037eb4e1591e8c07c6e5ee09d5a640b6b49d373a9f43fbad2e3eb063803877f90a8dcd623b236d491aeeae7abc7a092cb1ee260ca27d6baf6054d6422b1717739cf0dd3ac3f2d7c0ab1d95e3aaeb8e77def748eab5688cbf8728539b8386696797ba8aacdfa">
  <package name="com.dianxinos.powermanager">
    <allow-permission name="android.permission.ACCESS_NETWORK_STATE" />
    <allow-permission name="android.permission.ACCESS_WIFI_STATE" />
    <allow-permission name="android.permission.BATTERY_STATS" />
    <allow-permission name="android.permission.BLUETOOTH" />
    <allow-permission name="android.permission.BLUETOOTH_ADMIN" />
    <allow-permission name="android.permission.CHANGE_NETWORK_STATE" />
    <allow-permission name="android.permission.CHANGE_WIFI_STATE" />
    <allow-permission name="android.permission.GET_PACKAGE_SIZE" />
    <allow-permission name="android.permission.INTERNET" />
    <allow-permission name="android.permission.KILL_BACKGROUND_PROCESSES" />
    <allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
    <allow-permission name="android.permission.READ_PHONE_STATE" />
    <allow-permission name="android.permission.READ_SYNC_SETTINGS" />
    <allow-permission name="android.permission.RECEIVE_BOOT_COMPLETED" />
    <allow-permission name="android.permission.RESTART_PACKAGES" />
    <allow-permission name="android.permission.SYSTEM_ALERT_WINDOW" />
    <allow-permission name="android.permission.VIBRATE" />
    <allow-permission name="android.permission.WAKE_LOCK" />
    <allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <allow-permission name="android.permission.WRITE_SETTINGS" />
    <allow-permission name="android.permission.WRITE_SYNC_SETTINGS" />
    <allow-permission name="com.android.launcher.permission.INSTALL_SHORTCUT" />
    <allow-permission name="com.android.vending.BILLING" />
    <allow-permission name="com.android.vending.CHECK_LICENSE" />
    <allow-permission name="com.dianxinos.powermanager.permission.CLOSEAPP" />
    <allow-permission name="com.dianxinos.powermanager.permission.UPDATE" />
  </package>
</signer>

上边这个命令build，对任何文件不产生影响。只是打印出这个apk要拥有的权限。可以把这个内容放到mac_permissions.xml。这样在安装的过程中可以通过。

setool --policy external/sepolicy/mac_permissions.xml /tmp/com.dianxinos.powermanager.apk

Default policy stanza used.
Policy blacklist rejected package com.dianxinos.powermanager
Denied permission android.permission.WRITE_EXTERNAL_STORAGE
Set of blacklisted permissions is:
android.permission.ACCESS_COARSE_LOCATION
android.permission.ACCESS_FINE_LOCATION
android.permission.AUTHENTICATE_ACCOUNTS
android.permission.CALL_PHONE
android.permission.CAMERA
android.permission.READ_LOGS
android.permission.WRITE_EXTERNAL_STORAGE

--policy 这命令也不对任何文件产生影响。只是说明这个apk的包，是不是被mac_permissions.xml接受。

在手机端有一个selinux应用程序，来使能mac功能。未使能，可以用adb install安装，然后使能mac功能，apk还是可以运行的。所以xml只对安装过程控制