Reading and Writing Selinux Rules¶
This interface allows you to perform basic reading and regular writing operations on the system’s Selinux rules, enabling you to set or bypass some system restrictions. Related interfaces may affect system functionality, so please use them with caution. You need to have an understanding of Selinux yourself.
Getting Operation Instance¶
Before starting, you need to first get a selinux instance.
selinux = d.stub("SelinuxPolicy")
Getting Selinux Status¶
Use the following interface call to get whether Selinux rules have been enabled.
selinux.enabled()
>>> selinux.is_enabled( )
True
Use the following interface call to get whether the current state is enforce.
selinux.get_enforce()
>>> selinux.get_enforce()
1
Setting Selinux Status¶
Use the following interface call to set Selinux to enforce or permissive.
selinux.set_enforce(enable)
Use the following interface call to set to enforce.
>>> selinux.set_enforce(True)
1
Use the following interface call to set to permissive.
>>> selinux.set_enforce( False)
0
Creating a New Domain¶
Use the following interface call to create a new domain in Selinux.
selinux.create_domain(domain_name)
>>> selinux.create_domain("hello_selinux")
True
Setting Domain to Permissive¶
Use the following interface call to set a Selinux domain to permissive state.
selinux.permissive(domain_name)
>>> selinux.permissive("untrusted_app")
True
Setting Domain to Enforce¶
Use the following interface call to set a Selinux domain to enforce state.
selinux.enforce(domain_name)
>>> selinux.enforce("untrusted_app")
True
Detailed Control Rules¶
The following interface calls allow you to write allow and disallow rules in more detail.
selinux.disallow(source, target, tclass, action)
selinux.allow(source, target, tclass, action)
Here, source and target represent the source and target contexts, tclass represents the target class, and action represents the specific operation. Action only supports *
(representing all) or specific actions. All parameters do not support multiple contexts or actions such as the standard rule writing form {binder system_app}
. Here you can only provide a single name. Below is an example operation.
>>> selinux.allow("hal_camera_default", "camera_vendor_data_file", "dir", "*")
The rule above means allowing hal_camera_default
all operation permissions on the camera_vendor_data_file
directory (dir
). Similarly, changing to the disallow
method means denying these permissions.
>>> selinux.allow("hal_camera_default", "camera_vendor_data_file", "dir", "search")
You can also provide a refined action like search
as shown above.