selinux项目的网站地址
https://selinuxproject.org/page/TypeStatements
android selinux
https://source.android.com/security/selinux
In Android 7.0 and earlier, device manufacturers could add policy to BOARD_SEPOLICY_DIRS, including policy meant to augment AOSP policy across different device types. In Android 8.0 and higher, adding a policy to BOARD_SEPOLICY_DIRS places the policy only in the vendor image.
In Android 8.0 and higher, policy exists in the following locations in AOSP:
system/sepolicy/public. Includes policy exported for use in vendor-specific policy. Everything goes into the Android 8.0 compatibility infrastructure. Public policy is meant to persist across releases so you can include anything /public in your customized policy. Because of this, the type of policy that can be placed in /public is more restricted. Consider this the platform's exported policy API: Anything that deals with the interface between /system and /vendor belongs here.system/sepolicy/private. Includes policy necessary for the functioning of the system image, but of which vendor image policy should have no knowledge.system/sepolicy/vendor. Includes policy for components that go in /vendor but exist in the core platform tree (not device-specific directories). This is an artifact of build system's distinction between devices and global components; conceptually this is a part of the device-specific policy described below.device/manufacturer/device-name/sepolicy. Includes device-specific policy. Also includes device customizations to policy, which in Android 8.0 and higher corresponds to policy for components on the vendor image.