diff options
author | Nick Kralevich <nnk@google.com> | 2013-12-06 08:54:57 -0800 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2013-12-06 08:54:57 -0800 |
commit | a6c9cdfff24d113f0d99c9572a0e5623deb593b0 (patch) | |
tree | 13a892395e6bbfbd7a763c51be5a0dd0247d8299 | |
parent | 6c8cbac334b4d7936955a509a740d2e31c794d75 (diff) | |
parent | 9e8b8d9fdfcdb6b3e8af3349df186c2ab81a9733 (diff) | |
download | sepolicy-a6c9cdfff24d113f0d99c9572a0e5623deb593b0.tar.gz |
am 9e8b8d9f: Revert "Allow kernel domain, not init domain, to set SELinux enforcing mode."
* commit '9e8b8d9fdfcdb6b3e8af3349df186c2ab81a9733':
Revert "Allow kernel domain, not init domain, to set SELinux enforcing mode."
-rw-r--r-- | domain.te | 13 | ||||
-rw-r--r-- | init.te | 1 | ||||
-rw-r--r-- | kernel.te | 3 |
3 files changed, 2 insertions, 15 deletions
@@ -130,17 +130,8 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto; ### neverallow rules ### -# Only init should be able to load SELinux policies. -# The first load technically occurs while still in the kernel domain, -# but this does not trigger a denial since there is no policy yet. -# Policy reload requires allowing this to the init domain. -neverallow { domain -init } kernel:security load_policy; - -# Only init prior to switching context should be able to set enforcing mode. -# init starts in kernel domain and switches to init domain via setcon in -# the init.rc, so the setenforce occurs while still in kernel. After -# switching domains, there is never any need to setenforce again by init. -neverallow { domain -kernel } kernel:security setenforce; +# Only init should be able to load SELinux policies and set enforcing mode. +neverallow { domain -init } kernel:security { load_policy setenforce }; # Only init, ueventd and system_server should be able to access HW RNG neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *; @@ -11,4 +11,3 @@ allow init {fs_type dev_type file_type}:dir_file_class_set relabelto; allow init kernel:security { load_policy setenforce }; allow init usermodehelper:file rw_file_perms; allow init proc_security:file rw_file_perms; -allow init kernel:security load_policy; @@ -6,6 +6,3 @@ relabelto_domain(kernel) allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto; allow kernel unlabeled:filesystem mount; - -# Initial setenforce by init prior to switching to init domain. -allow kernel self:security setenforce; |