Clarify SELinux CDD requirements.
First paragraph: change "can use" to "use" and drop the "if" to
avoid confusion about whether SELinux is mandatory.
Third paragraph: reword for greater clarity.
List of device implementation requirements:
- Add a requirement about global enforcing mode (already tested by CTS
but not stated explicitly here),
- Drop the language about supporting per-domain permissive, as
per-domain permissive is supported by all modern kernels and since
we now require all domains to ship enforcing, we don't even strictly
need it. Just retain the requirement that all domains be enforcing.
- Drop the SHOULD requirement on loading policy from the /sepolicy file as
nothing depends on this per se.
- Clarify that the neverallow rules live in the external/sepolicy folder,
not in the final sepolicy file.
- Drop the MUST requirement on dynamic updates of policy; if they
want to support it, then they are still free to do so but it is unclear
why it is mandatory.
Last para: Clarify that device implementations should only add to
the upstream AOSP policy.
Change-Id: I5255536ba096821fcb14e53f8bfc06a75919cb45
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/src/compatibility/5.0/android-5.0-cdd.html b/src/compatibility/5.0/android-5.0-cdd.html
index 27e19ea..b03a643 100644
--- a/src/compatibility/5.0/android-5.0-cdd.html
+++ b/src/compatibility/5.0/android-5.0-cdd.html
@@ -5170,9 +5170,9 @@
<h2 id=9_7_kernel_security_features>9.7. Kernel Security Features</h2>
-<p>The Android Sandbox includes features that can use the Security-Enhanced Linux
+<p>The Android Sandbox includes features that use the Security-Enhanced Linux
(SELinux) mandatory access control (MAC) system and other security features in
-the Linux kernel. SELinux or any other security features, if implemented below
+the Linux kernel. SELinux or any other security features implemented below
the Android framework:</p>
<ul>
@@ -5187,30 +5187,26 @@
affect another application (such as a Device Administration API), the API MUST
NOT allow configurations that break compatibility. </p>
-<p>Devices MUST implement SELinux or an equivalent mandatory access control system
-if using a kernel other than Linux and meet the following requirements, which
+<p>Devices MUST implement SELinux or, if using a kernel other than Linux, an equivalent mandatory access control system.
+Devices must also meet the following requirements, which
are satisfied by the reference implementation in the upstream Android Open
Source Project.</p>
<p>Device implementations:</p>
<ul>
- <li> MUST support a SELinux policy that allows the SELinux mode to be set on a
-per-domain basis, and MUST configure all domains in enforcing mode. No
+ <li> MUST set SELinux to global enforcing mode,
+ <li> MUST configure all domains in enforcing mode. No
permissive mode domains are allowed, including domains specific to a
-device/vendor
- <li> SHOULD load policy from /sepolicy file on the device
+device/vendor.
<li> MUST NOT modify, omit, or replace the neverallow rules present within the
-sepolicy file provided in the upstream Android Open Source Project (AOSP) and
-the policy MUST compile with all neverallow present, for both AOSP SELinux
-domains as well as device/vendor specific domains
- <li> MUST support dynamic updates of the SELinux policy file without requiring a
-system image update
+external/sepolicy folder provided in the upstream Android Open Source Project (AOSP) and
+the policy MUST compile with all neverallow rules present, for both AOSP SELinux
+domains as well as device/vendor specific domains.
</ul>
-<p>Device implementations SHOULD retain the default SELinux policy provided in the
-upstream Android Open Source Project, until they have first audited their
-additions to the SELinux policy. Device implementations MUST be compatible with
+<p>Device implementations SHOULD retain the default SELinux policy provided in the external/sepolicy folder of the
+upstream Android Open Source Project and only further add to this policy for their own device-specific configuration. Device implementations MUST be compatible with
the upstream Android Open Source Project.</p>
<h2 id=9_8_privacy>9.8. Privacy</h2>