Something went wrong on our end
-
Stephen Smalley authoredTo see whether we can safely remove these allow rules on unlabeled files since we now have restorecon_recursive /data in init.rc to fully relabel legacy userdata partitions, audit all accesses on such files. Exclude the init domain since it performs the restorecon_recursive /data and therefore will read unlabeled directories, stat unlabeled files, and relabel unlabeled directories and files on upgrade. init may also create/write unlabeled files in /data prior to the restorecon_recursive /data being called. Exclude the kernel domain for search on unlabeled:dir as this happens during cgroup filesystem initialization in the kernel as a side effect of populating the cgroup directory during the superblock initialization before SELinux has set the label on the root directory. Change-Id: Ieb5d807f529db9a4bf3e6c93e6b37c9648c04633 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>Stephen Smalley authoredTo see whether we can safely remove these allow rules on unlabeled files since we now have restorecon_recursive /data in init.rc to fully relabel legacy userdata partitions, audit all accesses on such files. Exclude the init domain since it performs the restorecon_recursive /data and therefore will read unlabeled directories, stat unlabeled files, and relabel unlabeled directories and files on upgrade. init may also create/write unlabeled files in /data prior to the restorecon_recursive /data being called. Exclude the kernel domain for search on unlabeled:dir as this happens during cgroup filesystem initialization in the kernel as a side effect of populating the cgroup directory during the superblock initialization before SELinux has set the label on the root directory. Change-Id: Ieb5d807f529db9a4bf3e6c93e6b37c9648c04633 Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>