diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2013-10-29 14:42:41 -0400 |
---|---|---|
committer | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-11-21 10:55:56 -0500 |
commit | 043b9027b3cc1c055e4ec5917f5d0d9bdc69005f (patch) | |
tree | 54225a0d75c11c306a6c71681ff2e4d641819720 | |
parent | 1ed3caf736d59f11d6c39edb3de2e0d0cd5ca71f (diff) | |
download | sepolicy-043b9027b3cc1c055e4ec5917f5d0d9bdc69005f.tar.gz |
Confine watchdogd, but leave it permissive for now.
Change-Id: If2285e927cb886956b3314dd18384145a1ebeaa9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
-rw-r--r-- | watchdogd.te | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/watchdogd.te b/watchdogd.te index 9af871c..33609e4 100644 --- a/watchdogd.te +++ b/watchdogd.te @@ -1,4 +1,11 @@ # watchdogd seclabel is specified in init.<board>.rc type watchdogd, domain; -unconfined_domain(watchdogd) -allow watchdogd rootfs:file entrypoint; +permissive watchdogd; +allow watchdogd rootfs:file { entrypoint r_file_perms }; +allow watchdogd self:capability mknod; +allow watchdogd device:dir { add_name write remove_name }; +allow watchdogd watchdog_device:chr_file rw_file_perms; +# because of /dev/__kmsg__ and /dev/__null__ +write_klog(watchdogd) +type_transition watchdogd device:chr_file null_device "__null__"; +allow watchdogd null_device:chr_file { create unlink }; |