-
Nick Kralevich authoredIt's a CTS requirement that all SELinux domains be in enforcing mode. Add the same assertion to the build system when targeting user builds. In particular, this avoids a situation where device integrity checking is enabled on user builds, but permissive denials are being generated, causing the device to unexpectedly reboot into safe mode. A developer wanting to put an SELinux domain into permissive mode for userdebug/eng purposes can write the following in their policy: userdebug_or_eng(` permissive foo; ') Bug: 26902605 Bug: 27313768 (cherry picked from commit bca98efa) Change-Id: If6abe1fa70c79a1fccdbdd9ff273d92de7565a73Nick Kralevich authoredIt's a CTS requirement that all SELinux domains be in enforcing mode. Add the same assertion to the build system when targeting user builds. In particular, this avoids a situation where device integrity checking is enabled on user builds, but permissive denials are being generated, causing the device to unexpectedly reboot into safe mode. A developer wanting to put an SELinux domain into permissive mode for userdebug/eng purposes can write the following in their policy: userdebug_or_eng(` permissive foo; ') Bug: 26902605 Bug: 27313768 (cherry picked from commit bca98efa) Change-Id: If6abe1fa70c79a1fccdbdd9ff273d92de7565a73