sepolicy: make shell domain can operate rootfs and unlabeled domain dirs and filesselinux-hacks-lava

since lava-test-shell uses/creates files with
unlabeled domain and rootfs domain,
so we need this hack to make lava-test-shell run for cts test

Change-Id: Icadaf9b96a8416f451e2cbf85fb88886acbf09a8
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>

2 files changed, 3 insertions, 3 deletions

diff --git a/app.te b/app.te
index 0a084c9..226738a 100644
--- a/app.te
+++ b/app.te
@@ -259,7 +259,7 @@ neverallow { appdomain -shell } { domain -appdomain }:process
     { transition dyntransition };
 
 # Write to rootfs.
-neverallow appdomain rootfs:dir_file_class_set
+neverallow { appdomain -shell }  rootfs:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Write to /system.
diff --git a/domain.te b/domain.te
index 9ae611c..0d651d2 100644
--- a/domain.te
+++ b/domain.te
@@ -168,7 +168,7 @@ auditallow { domain -service_manager_local_audit } service_manager_type:service_
 ###
 
 # Do not allow any confined domain to create new unlabeled files.
-neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set create;
+neverallow { domain -unconfineddomain -recovery -shell } unlabeled:dir_file_class_set create;
 
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
@@ -291,7 +291,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Nothing should be writing to files in the rootfs.
-neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -shell } rootfs:file { create write setattr relabelto append unlink link rename };
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.