SElinux read. TE defines its own. Te__linux

will continue to be added later

some macros in a. te file definition

1.1 Unix_socket_connect (1, 1, 2, $)
This is actually a macro. It is defined in files in Te_macros (Android, MTK, and qcom):

         ##################################### Android System Te_macros file definition # unix_socket_connect (clientdomain, Socke
     T, Serverdomain) # Allow A local socket connection from Clientdomain via # socket to Serverdomain. # # Note:if You denial records ' distill to the # following allow rules: # Allow Clientdomain
     Rty_socket:sock_file write;
     # Allow Clientdomain Init:unix_stream_socket ConnectTo;
     # Allow Clientdomain Something_prop:property_service set;
     # This sequence was indicative of attempting to set a.  # Use Set_prop (Sourcedomain, TargetProperty) # define (' Unix_socket_connect ', ' Allow $ $2_socket:sock_file
     Write
    Allow $ $3:unix_stream_socket connectto; ') the definition of Te_macros under the ##################################### platform (different) # Qmux_socket (clientdomain) # Allow Clien
    T domain to Connecto and send # via a local socket to the QMUX domain. # Also allow the client DOMAIn to remove # its own socket.
    Define (' Qmux_socket ', ' Allow ' qmuxd_socket:dir create_dir_perms;
    Unix_socket_connect ($, qmuxd, QMUXD) allow $ qmuxd_socket:sock_file {Read GetAttr write setattr create unlink}; ') ##################################### # Netmgr_socket (clientdomain) # Allow client domain to connecto a
    nd send # via a local socket to the NETMGRD domain.
    # Also allow the client domain to remove # its own socket.
    Define (' Netmgr_socket ', ' Allow ' netmgrd_socket:dir r_dir_perms;
    Unix_socket_connect ($, NETMGRD, NETMGRD) allow $ netmgrd_socket:sock_file {read GetAttr write};
 ')

1.2 init_daemon_domain ($)

#####################################  Android System Te_macros file Definition
    # init_daemon_domain (domain)
    # Set up a Transition from init to the daemon domain
    # upon executing its binary.
    Define (' Init_daemon_domain ', '
    Domain_auto_trans (init, $1_exec, $)
    Tmpfs_domain ($)
    ')

1.3 AppDomain App_domain ($)

  #################################### #android system Te_macros file Definition
    # app_domain (domain)
    # Allow a base set of Permissions required for all apps.
    Define (' App_domain ', '
    Typeattribute $ appdomain;
    # Label Ashmem objects with our own unique type.
    Tmpfs_domain ($)
    # Map with Prot_exec.
    Allow $ $1_tmpfs:file execute;
    ')

Second, define your own. Te

2.1
This is very simple, suit, we can view a lot of. te files under Sepolicy for viewing
Create a file under the sepolicy of qcom or MTK

Backup_service.te

File headers are taken from other files, modify the name, and define our own type Backup_service.
The simple point is that we define a process type ourselves, Backup_service he belongs to domain domains,
And then I'm going to be able to define its permissions, allow him to do what he does not allow him to do.

# Backup_service
type backup_service, domain;
Type backup_service_exec, Exec_type, File_type;

# make transition from init to backup service domain
init_daemon_domain (backup_service)
Unix_socket_connect ( Backup_service, property, init)


# Allow file Operation
allow

... # Allow folder-related operations
allow ....

.....

Of course we're just defining one of these. te files is only preliminary and not working,
Just like we wrote a Java code, int a=0, the following will be the article will be combined.

2.2 Self
The policy language retains a keyword self, which is used in the target area of the AV rule and can be used as a type, as the following two rules are equal:

  # These two rules are equal to the   
  allow user_t user_t:process signal;   
  Allow user_t self:process signal;  
------------------------------------------
    # These two rules   
    allow user_t user_t:process signal;  
    Allow staff_t staff_t:process signal;   

    #等于下面这一条规则   
    allow {user_t staff_t} self:process signal;  

Note: You may only use special type self in the target area of the AV rule, especially if you cannot use the self type in the source area of the AV rule, and you cannot declare a type or attribute identifier called self.

Allow domain domain:process signal; # Each process can send signal  
allow domain self:process signal to itself and other processes;   

2.5 make Bootimage
Compile, you can see if your rules are compiled, you can view the file android/out/target/product/project name/obj/etc/sepolicy_intermediates/under the policy.conf
This is where you can see if you've compiled it, such as what name you define a type, search the file and see if you can see it.