selinux项目的网站地址
https://selinuxproject.org/page/TypeStatements
android selinux
https://source.android.com/security/selinux
Policy placement
In Android 7.0 and earlier, device manufacturers could add policy to BOARD_SEPOLICY_DIRS
, including policy meant to augment AOSP policy across different device types. In Android 8.0 and higher, adding a policy to BOARD_SEPOLICY_DIRS
places the policy only in the vendor image.
In Android 8.0 and higher, policy exists in the following locations in AOSP:
- system/sepolicy/public. Includes policy exported for use in vendor-specific policy. Everything goes into the Android 8.0 compatibility infrastructure. Public policy is meant to persist across releases so you can include anything
/public
in your customized policy. Because of this, the type of policy that can be placed in/public
is more restricted. Consider this the platform's exported policy API: Anything that deals with the interface between/system
and/vendor
belongs here. - system/sepolicy/private. Includes policy necessary for the functioning of the system image, but of which vendor image policy should have no knowledge.
- system/sepolicy/vendor. Includes policy for components that go in
/vendor
but exist in the core platform tree (not device-specific directories). This is an artifact of build system's distinction between devices and global components; conceptually this is a part of the device-specific policy described below. - device/manufacturer/device-name/sepolicy. Includes device-specific policy. Also includes device customizations to policy, which in Android 8.0 and higher corresponds to policy for components on the vendor image.