From 193d1292fab464bde1e785b27b019cc869aac8a8 Mon Sep 17 00:00:00 2001
From: William Roberts <w.roberts@sta.samsung.com>
Date: Mon, 11 Feb 2013 21:13:50 +0900
Subject: [PATCH] Strengthen setenforce and setbool assertions

Change-Id: I58f15889c248b49f9e29028a3c0a86b4c950ff07
---
 assert.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assert.te b/assert.te
index 1f12c5eed..85cb48be8 100644
--- a/assert.te
+++ b/assert.te
@@ -16,7 +16,7 @@ neverallow appdomain kmem_device:chr_file { read write };
 
 # Setting SELinux enforcing status or booleans.
 # Conditionally allowed to system_app for SEAndroidManager.
-neverallow { appdomain -system_app } kernel:security { setenforce setbool };
+neverallow { domain -unconfineddomain -system -system_app } kernel:security { setenforce setbool };
 
 # Load security policy.
 neverallow appdomain kernel:security load_policy;
-- 
GitLab