Add new security policy in SElinux on Android 10

Question

I want witch /dev/i2c-1 device to be outside the SELinux security policy on Android 10.

I have the source code for Android 10. I tried creating a .te file in /device/thales/mt8768q/sepolicy/edgelab.te

In foo.te, I added a similar example to the site: https://source.android.com/security/selinux/customize.

allow domain i2c-1_device:chr_file rw_file_perms

But, in compilation, this line generates an error.

UPDATE:

I add new line on /device/manufacturer/device-name/BoardConfig.mk:

BOARD_SEPOLICY_DIRS += device/thales/mt8768q/sepolicy

The error is:

#line 206
device/mediatek/mt6765/sepolicy/bsp/mnld.te:8:ERROR 'syntax error' at token 'role' on line 97225:
#line 2 "device/thales/mt8768q/sepolicy/edgelab.te"
allow domain i2c-1_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } }role r;
checkpolicy:  error(s) encountered while parsing configuration

Maybe i2c-1_device is not a valid name, but I don't know how to refer to /dev/i2c-1 in .te file.

Answer 1

Your should define your domain and label.

1. Define your dev_type (device/"manufacturer"/"device-name"/sepolicy/"your-filename".te):

   type i2c-1_device, dev_type;

2. Label file with your type (device/"manufacturer"/"device-name"/sepolicy/file_contexts):

   /dev/i2c-1/* u:object_r:i2c-1_device:s0

3. Define your rule (device/"manufacturer"/"device-name"/"your-filename".te):

   allow domain i2c-1_device:chr_file rw_file_perms

You'd better define your domain and restrict only your domain can access i2c-1_device. The example define an dhcp domain, it's an good example.