SELinux¶
This interface allows you to perform basic read and write operations on the system's SELinux rules, enabling you to set or bypass some system restrictions. The related interfaces may affect system functionality, so please use them with caution. You need to have a basic understanding of SELinux.
Obtain an Operation Instance¶
Before starting, you need to obtain an SELinux instance.
selinux = d.stub("SELinuxPolicy")
Get SELinux Status¶
Use the following interface call to check whether SELinux rules have been enabled.
selinux.is_enabled()
>>> selinux.is_enabled()
True
Use the following interface call to get whether it is currently in enforcing state.
selinux.get_enforce()
>>> selinux.get_enforce()
1
Set SELinux Status¶
Use the following interface call to set SELinux to enforcing or permissive.
selinux.set_enforce(enable)
Use the following interface call to set to enforcing.
>>> selinux.set_enforce(True)
1
Use the following interface call to set to permissive.
>>> selinux.set_enforce(False)
0
Create a New Domain¶
Use the following interface call to create a new domain in SELinux.
selinux.create_domain(domain_name)
>>> selinux.create_domain("hello_selinux")
True
Set Domain to Permissive¶
Use the following interface call to set an SELinux domain to permissive state.
selinux.permissive(domain_name)
>>> selinux.permissive("untrusted_app")
True
Set Domain to Enforcing¶
Use the following interface call to set an SELinux domain to enforcing state.
selinux.enforce(domain_name)
>>> selinux.enforce("untrusted_app")
True
Refine Control Rules¶
Use the following interface calls to write more detailed allow and disallow rules.
selinux.disallow(source, target, tclass, action)
selinux.allow(source, target, tclass, action)
Among them, source and target respectively represent the source and target contexts, tclass represents the target class, action represents the specific operation. action only supports * (representing all) or a specific action. None of the parameters support multiple contexts or actions such as the standard rule format {binder system_app}. Here you can only provide a single name. Below is an example operation.
>>> selinux.allow("hal_camera_default", "camera_vendor_data_file", "dir", "*")
The above rule means allowing hal_camera_default all operation permissions on the camera_vendor_data_file directory (dir). Similarly, changing to the disallow method would deny these permissions.
>>> selinux.allow("hal_camera_default", "camera_vendor_data_file", "dir", "search")
You can also provide a refined action like search as shown above.