- MUST set SELinux to global enforcing mode.
- MUST configure all domains in enforcing mode. No permissive mode domains are allowed, including domains specific to a device/vendor.
- MUST NOT modify, omit, or replace the neverallow rules present within the external/sepolicy folder provided in the upstream Android Open Source Project (AOSP) and the policy MUST compile with all neverallow rules present, for both AOSP SELinux domains as well as device/vendor specific domains.
We are in compliance with the first two rules, but had to add a heap of modifications to the neverallow rules in order to both accomplish that, and provide an su domain that is strong enough to be useful.
I wonder if a different type of su domain might be able to satisfy all three, such as the ability to transition globally from su domain into any domain on demand, rather than just granting global rights to everything....
We are in compliance with the first two rules, but had to add a heap of modifications to the neverallow rules in order to both accomplish that, and provide an su domain that is strong enough to be useful.
I wonder if a different type of su domain might be able to satisfy all three, such as the ability to transition globally from su domain into any domain on demand, rather than just granting global rights to everything....