diff options
author | Yongqin Liu <yongqin.liu@linaro.org> | 2014-08-21 13:17:03 +0800 |
---|---|---|
committer | Yongqin Liu <yongqin.liu@linaro.org> | 2014-08-21 13:17:03 +0800 |
commit | cccb0aa222df76b754dcbdf2904bfc6f73a05428 (patch) | |
tree | 4ede225fdbce96afa4566b6e12273004b7d40cd7 | |
parent | 1f0884823282dcdf6c471c34ef11daf24b4f1bda (diff) | |
download | sepolicy-selinux-hacks-lava.tar.gz |
sepolicy: make shell domain can operate rootfs and unlabeled domain dirs and filesselinux-hacks-lava
since lava-test-shell uses/creates files with
unlabeled domain and rootfs domain,
so we need this hack to make lava-test-shell run for cts test
Change-Id: Icadaf9b96a8416f451e2cbf85fb88886acbf09a8
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
-rw-r--r-- | app.te | 2 | ||||
-rw-r--r-- | domain.te | 4 |
2 files changed, 3 insertions, 3 deletions
@@ -259,7 +259,7 @@ neverallow { appdomain -shell } { domain -appdomain }:process { transition dyntransition }; # Write to rootfs. -neverallow appdomain rootfs:dir_file_class_set +neverallow { appdomain -shell } rootfs:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # Write to /system. @@ -168,7 +168,7 @@ auditallow { domain -service_manager_local_audit } service_manager_type:service_ ### # Do not allow any confined domain to create new unlabeled files. -neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set create; +neverallow { domain -unconfineddomain -recovery -shell } unlabeled:dir_file_class_set create; # Limit ability to ptrace or read sensitive /proc/pid files of processes # with other UIDs to these whitelisted domains. @@ -291,7 +291,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # Nothing should be writing to files in the rootfs. -neverallow domain rootfs:file { create write setattr relabelto append unlink link rename }; +neverallow { domain -shell } rootfs:file { create write setattr relabelto append unlink link rename }; # Restrict context mounts to specific types marked with # the contextmount_type attribute. |