-
- Downloads
There was an error fetching the commit references. Please try again later.
Audit accesses on unlabeled files.
To see whether we can safely remove these allow rules on unlabeled files
since we now have restorecon_recursive /data in init.rc to fully relabel
legacy userdata partitions, audit all accesses on such files.
Exclude the init domain since it performs the restorecon_recursive /data
and therefore will read unlabeled directories, stat unlabeled files,
and relabel unlabeled directories and files on upgrade. init may also
create/write unlabeled files in /data prior to the restorecon_recursive
/data being called.
Exclude the kernel domain for search on unlabeled:dir as this happens
during cgroup filesystem initialization in the kernel as a side effect
of populating the cgroup directory during the superblock initialization
before SELinux has set the label on the root directory.
Change-Id: Ieb5d807f529db9a4bf3e6c93e6b37c9648c04633
Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
Please register or sign in to comment