Confine watchdogd, but leave it permissive for now.

Change-Id: If2285e927cb886956b3314dd18384145a1ebeaa9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Confine watchdogd, but leave it permissive for now.
043b9027 · Stephen Smalley · Robert Craig · 1ed3caf7 · 043b9027
Commit 043b9027 authored 11 years ago by Stephen Smalley Committed by Robert Craig 11 years ago
--- a/watchdogd.te
+++ b/watchdogd.te
 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
-unconfined_domain(watchdogd)
+permissive watchdogd;
-allow watchdogd rootfs:file entrypoint;
+allow watchdogd rootfs:file { entrypoint r_file_perms };
+allow watchdogd self:capability mknod;
+allow watchdogd device:dir { add_name write remove_name };
+allow watchdogd watchdog_device:chr_file rw_file_perms;
+# because of /dev/__kmsg__ and /dev/__null__
+write_klog(watchdogd)
+type_transition watchdogd device:chr_file null_device "__null__";
+allow watchdogd null_device:chr_file { create unlink };