Fix neverallow rules to eliminate CTS SELinuxTest warnings.

Fix two neverallow rules that yield Invalid SELinux context warnings from the CTS SELinuxTest. For transitions from app domains, we only need to check { domain -appdomain } (i.e. domains other than app domains), not ~appdomain (i.e. all types other than app domains). Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing since the target class is process, and such contexts are invalid. For keeping file_type and fs_type exclusive, we only need to check associate permission, not all filesystem permissions, as only associate takes a file type as the source context. Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing filesystem permissions other than associate, since the source of such checks is normally a process context. Change-Id: I6c2f63f4786d75294a6938613ba14b64212fc802 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Fix neverallow rules to eliminate CTS SELinuxTest warnings.
21ada26d · Stephen Smalley · 840e522e · 21ada26d · 21ada26d
Commit 21ada26d authored 10 years ago by Stephen Smalley
--- a/app.te
+++ b/app.te
@@ -255,7 +255,7 @@ neverallow appdomain { domain -appdomain }:process

 # Transition to a non-app domain.
 # Exception for the shell domain, can transition to runas, etc.
-neverallow { appdomain -shell } ~appdomain:process
+neverallow { appdomain -shell } { domain -appdomain }:process
    { transition dyntransition };

 # Write to rootfs.

--- a/file.te
+++ b/file.te
@@ -167,4 +167,4 @@ allow dev_type tmpfs:filesystem associate;
 #   type apk_data_file, file_type, data_file_type, fs_type;
 # Should be:
 #   type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem *;
+neverallow fs_type file_type:filesystem associate;