-
- Downloads
Audit accesses on unlabeled files.
To see whether we can safely remove these allow rules on unlabeled files
since we now have restorecon_recursive /data in init.rc to fully relabel
legacy userdata partitions, audit all accesses on such files.
Exclude the init domain since it performs the restorecon_recursive /data
and therefore will read unlabeled directories, stat unlabeled files,
and relabel unlabeled directories and files on upgrade. init may also
create/write unlabeled files in /data prior to the restorecon_recursive
/data being called.
Exclude the kernel domain for search on unlabeled:dir as this happens
during cgroup filesystem initialization in the kernel as a side effect
of populating the cgroup directory during the superblock initialization
before SELinux has set the label on the root directory.
Change-Id: Ieb5d807f529db9a4bf3e6c93e6b37c9648c04633
Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
Loading
Please register or sign in to comment