Skip to content
Snippets Groups Projects
Normal view Permalink
init.te 1.04 KiB
Newer Older
  • Learn to ignore specific revisions
    • Stephen Smalley's avatar
    SE Android policy.
    Stephen Smalley committed
    1 2 3 4 5 
    # init switches to init domain (via init.rc).
type init, domain;
# init is unconfined.
unconfined_domain(init)
tmpfs_domain(init)
    repo sync's avatar
    Make all domains unconfined.  
    repo sync committed
    6 7 
    # add a rule to handle unlabelled mounts
allow init unlabeled:filesystem mount;
    Nick Kralevich's avatar
    domain.te: Add backwards compatibility for unlabeled files  
    Nick Kralevich committed
    8
    Stephen Smalley's avatar
    Remove several superuser capabilities from unconfined domains.  
    Stephen Smalley committed
    9 10 
    allow init self:capability { sys_rawio mknod };
    Stephen Smalley's avatar
    Remove block device access from unconfined domains.  
    Stephen Smalley committed
    11 
    allow init dev_type:blk_file rw_file_perms;
    Stephen Smalley's avatar
    Remove mount-related permissions from unconfined domains.  
    Stephen Smalley committed
    12 
    allow init fs_type:filesystem *;
    Nick Kralevich's avatar
    domain.te: Add backwards compatibility for unlabeled files  
    Nick Kralevich committed
    13 
    allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
    Stephen Smalley's avatar
    Allow kernel domain, not init domain, to set SELinux enforcing mode.  
    Stephen Smalley committed
    14 
    allow init kernel:security load_policy;
    Stephen Smalley's avatar
    Restrict the ability to set usermodehelpers and proc security settings.  
    Stephen Smalley committed
    15 16 
    allow init usermodehelper:file rw_file_perms;
allow init proc_security:file rw_file_perms;
    Nick Kralevich's avatar
    Remove transition / dyntransition from unconfined  
    Nick Kralevich committed
    17 18 19 20 21 22 23 24 
    
# Transitions to seclabel processes in init.rc
allow init adbd:process transition;
allow init healthd:process transition;
allow init recovery:process transition;
allow init shell:process transition;
allow init ueventd:process transition;
allow init watchdogd:process transition;
    Nick Kralevich's avatar
    Protect keystore's files.  
    Nick Kralevich committed
    25 26 27 28 29 
    
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };