diff options
Diffstat (limited to 'init.te')
-rw-r--r-- | init.te | 17 |
1 files changed, 4 insertions, 13 deletions
@@ -99,10 +99,10 @@ allow init rootfs:{ dir file } relabelfrom; # we just allow all file types except /system files here. allow init self:capability { chown fowner fsetid }; allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl }; -allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom }; -allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink }; -allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; -allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink }; +allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom }; +allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink }; +allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; +allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink }; allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto; allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom }; allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto; @@ -123,15 +123,6 @@ allow init { dev_type -kmem_device }:chr_file { read open setattr }; allow init unlabeled:dir { create_dir_perms relabelfrom }; allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; -# Create /data/security from init.rc post-fs-data. -allow init security_file:dir { create setattr }; - -# Reload policy upon setprop selinux.reload_policy 1. -# Note: this requires the following allow rule -# allow init kernel:security load_policy; -# which can be configured on a device-by-device basis if needed. -r_dir_file(init, security_file) - # Any operation that can modify the kernel ring buffer, e.g. clear # or a read that consumes the messages that were read. allow init kernel:system syslog_mod; |