From 00b180dfb8195fa559f45e812c9c2a82bdbd9c40 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 17 Jun 2014 15:05:08 -0400
Subject: [PATCH] Eliminate some duplicated rules.

As reported by sepolicy-analyze -D -P /path/to/sepolicy.
No semantic difference reported by sediff between the policy
before and after this change.

Deduplication of selinuxfs read access resolved by taking the
common rules to domain.te (and thereby getting rid of the
selinux_getenforce macro altogether).

Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 dhcp.te          |  1 -
 domain.te        |  3 ++-
 shell.te         |  1 -
 system_server.te |  1 -
 te_macros        | 17 -----------------
 wpa.te           |  1 -
 6 files changed, 2 insertions(+), 22 deletions(-)

diff --git a/dhcp.te b/dhcp.te
index 81f6db495..9e461a4f6 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -15,7 +15,6 @@ allow dhcp system_file:file rx_file_perms;
 allow dhcp proc_net:file write;
 allow dhcp system_prop:property_service set ;
 unix_socket_connect(dhcp, property, init)
-allow dhcp owntty_device:chr_file rw_file_perms;
 
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
 allow dhcp dhcp_data_file:dir create_dir_perms;
diff --git a/domain.te b/domain.te
index 6c800ab71..86c683f23 100644
--- a/domain.te
+++ b/domain.te
@@ -130,7 +130,8 @@ allow domain debugfs:dir r_dir_perms;
 allow domain debugfs:file w_file_perms;
 
 # Get SELinux enforcing status.
-selinux_getenforce(domain)
+allow domain selinuxfs:dir r_dir_perms;
+allow domain selinuxfs:file r_file_perms;
 
 # /data/security files
 allow domain security_file:dir { search getattr };
diff --git a/shell.te b/shell.te
index aa02ce5fc..5f70cd079 100644
--- a/shell.te
+++ b/shell.te
@@ -25,7 +25,6 @@ allow shell shell_data_file:file rx_file_perms;
 # adb bugreport
 unix_socket_connect(shell, dumpstate, dumpstate)
 
-allow shell rootfs:dir r_dir_perms;
 allow shell devpts:chr_file rw_file_perms;
 allow shell tty_device:chr_file rw_file_perms;
 allow shell console_device:chr_file rw_file_perms;
diff --git a/system_server.te b/system_server.te
index 5f2d69183..d7643a0a4 100644
--- a/system_server.te
+++ b/system_server.te
@@ -159,7 +159,6 @@ allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;
 allow system_server radio_device:chr_file r_file_perms;
 allow system_server tty_device:chr_file rw_file_perms;
-allow system_server urandom_device:chr_file rw_file_perms;
 allow system_server usbaccessory_device:chr_file rw_file_perms;
 allow system_server video_device:dir r_dir_perms;
 allow system_server video_device:chr_file rw_file_perms;
diff --git a/te_macros b/te_macros
index 7cd7d82ad..c72760eee 100644
--- a/te_macros
+++ b/te_macros
@@ -187,7 +187,6 @@ allow $1 self:capability2 block_suspend;
 # selinux_check_access(domain)
 # Allow domain to check SELinux permissions via selinuxfs.
 define(`selinux_check_access', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security compute_av;
 allow $1 self:netlink_selinux_socket *;
@@ -197,24 +196,14 @@ allow $1 self:netlink_selinux_socket *;
 # selinux_check_context(domain)
 # Allow domain to check SELinux contexts via selinuxfs.
 define(`selinux_check_context', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security check_context;
 ')
 
-#####################################
-# selinux_getenforce(domain)
-# Allow domain to check whether SELinux is enforcing.
-define(`selinux_getenforce', `
-allow $1 selinuxfs:dir r_dir_perms;
-allow $1 selinuxfs:file r_file_perms;
-')
-
 #####################################
 # selinux_setenforce(domain)
 # Allow domain to set SELinux to enforcing.
 define(`selinux_setenforce', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security setenforce;
 ')
@@ -223,7 +212,6 @@ allow $1 kernel:security setenforce;
 # selinux_setbool(domain)
 # Allow domain to set SELinux booleans.
 define(`selinux_setbool', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security setbool;
 ')
@@ -235,11 +223,6 @@ allow $1 kernel:security setbool;
 define(`security_access_policy', `
 allow $1 security_file:dir r_dir_perms;
 allow $1 security_file:file r_file_perms;
-allow $1 security_file:lnk_file r_file_perms;
-allow $1 selinuxfs:dir r_dir_perms;
-allow $1 selinuxfs:file r_file_perms;
-allow $1 rootfs:dir r_dir_perms;
-allow $1 rootfs:file r_file_perms;
 ')
 
 #####################################
diff --git a/wpa.te b/wpa.te
index ceabf6d5f..761d3451a 100644
--- a/wpa.te
+++ b/wpa.te
@@ -15,7 +15,6 @@ allow wpa self:packet_socket create_socket_perms;
 allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)
-allow wpa random_device:chr_file r_file_perms;
 
 binder_use(wpa)
 binder_call(wpa, keystore)
-- 
GitLab