# Help building this for the Thunderbolt.



## The_KGB (Jul 18, 2011)

Hello, I noticed this: http://selinuxprojec.../page/SEAndroid

I am trying to figure out how to build this so I can use it. If someone can "noob" this down for me, I would be so happy and perhaps even give you a cookie.

Heck, we could even make a dev team based off of this.

*How can SELinux help Android?*
Confine privileged daemons.
Protect them from misuse.
Limit the damage that can be done via them.
Sandbox and isolate apps.
Strongly separate apps from each other and from the system.
Prevent privilege escalation by apps.
Provide centralized, analyzable policy.
*Distinctive features SE Android:*

Per-file security labeling support for yaffs2,
Filesystem images (yaffs2 and ext4) labeled at build time,
Kernel permission checks controlling Binder IPC,
Labeling of service sockets and socket files created by init,
Labeling of device nodes created by ueventd,
Flexible, configurable labeling of apps and app data directories,
Userspace permission checks controlling use of the Zygote socket commands,
Minimal port of SELinux userspace,
SELinux support for the Android toolbox,
Small TE policy written from scratch for Android,
Confined domains for system services and apps,
Use of MLS categories to isolate apps.
The Goal of Security Enhanced (SE) Android is to improve our understanding of Android security, Integrate SELinux into Android in acomprehensive and coherent manner,Demonstrate useful security functionality inAndroid using SELinux, Improve the suitability of SELinux for Android and Identify other security gaps in Android that needto be addressed.

Well, I hope somone wants to help and whatnot...

Thank you guys so much!


----------



## Jaxidian (Jun 6, 2011)

This sounds like a very interesting project and I'd love to see something like this succeed!

On another note, I'm moving this out of the Developer forum as that forum is for releases. If you accomplish something here and release it, please PM me and I'll gladly move it back!


----------



## HalosGhost (Jun 29, 2011)

Just a small note. SELinux is a package commonly included by most major linux distros at this point, and I'm all in favor of a port. However, apps are already sandboxed. They aren't isolated, but that could potentially break a ton of app functions. I'm not sure I have the knowledge necessary to help it be built or ported, but I sincerely hope someone does it (maybe even Google since this really should be integrated anyway).

All the best,

-HG


----------



## yarly (Jun 22, 2011)

SELinux would be a mess to configure right on android. It already is on systems that use it (most namely red hat based systems [red hat, fedora, centOS] come with it compiled into the kernel). Generally it's used more in circumstances where you have multiple users on the same system so there's a higher degree of privilege separation.

Entire books have been written on how to configure and set up. From my experience in using it, it's a pain in the butt for anything other than the above usage and overkill for a single user (besides being a pain to deal with when you want to install anything new that's not already configured). While I think it's a good tool to use, it's like slicing up a loaf of bread with a chainsaw if you're using it in a non-server environment. It would take a good amount of reworking to get it to compile into android as well as getting it to work + figuring out how to get the complex interface SELinux has to work without just using the command line every time. To get an idea of how much of a pain it is at times, grab fedora and load it up on the live cd and play around with it. I think it still comes prepackaged in fedora and enabled by default. I switched to Debian 4-5 years ago so I cannot say for sure.

tl;dr: you could potentially do it sure, but could you do it and make it work with android and the way android current works? That I am not sure and probably something you would have to ask a software engineer that built the Android OS at Google, works on it for an OEM or maybe someone that has been on the Cyanogen team for quite a while and contributes directly back to its source at the kernel level.

You *might* get a better answer if you post your question at stackoverflow than posting it here. Google employees and others that would be experts in the lower level workings of the Android OS would be more likely to answer it there. Make sure to ask it on stackoverflow though and not their android specific site. Code questions are to be directed to stackoverflow (in case you weren't already aware, they would probably close your question quickly if you tried). If you do though, please update/post the question link and let us know what they say, I'd like to see the answers you get in reply for my own knowledge since it's an interesting question.

The question of *if* it's possible needs to be answered before diving into the rabbit hole of trying to compile it into the android linux kernel.

There have been crazier projects that have been worked out on android such as whispercore, but Moxie Marlinspike is just a crazy computer genius as well.

Just a random fun fact: SELinux was built and developed by the NSA


----------



## HalosGhost (Jun 29, 2011)

I can confirm that SELinux does come prepackaged and enabled with Fedora









All the best,

-HG


----------

