Audit accesses on unlabeled files.

To see whether we can safely remove these allow rules on unlabeled files since we now have restorecon_recursive /data in init.rc to fully relabel legacy userdata partitions, audit all accesses on such files. Exclude the init domain since it performs the restorecon_recursive /data and therefore will read unlabeled directories, stat unlabeled files, and relabel unlabeled directories and files on upgrade. init may also create/write unlabeled files in /data prior to the restorecon_recursive /data being called. Exclude the kernel domain for search on unlabeled:dir as this happens during cgroup filesystem initialization in the kernel as a side effect of populating the cgroup directory during the superblock initialization before SELinux has set the label on the root directory. Change-Id: Ieb5d807f529db9a4bf3e6c93e6b37c9648c04633 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Audit accesses on unlabeled files.
25628434 · Stephen Smalley · fd352f11 · 25628434 · 25628434
Commit 25628434 authored Apr 18, 2014 by Stephen Smalley
--- a/app.te
+++ b/app.te
@@ -126,6 +126,7 @@ allow appdomain dalvikcache_profiles_data_file:file write;
 # For legacy unlabeled userdata on existing devices.
 # See discussion of Unlabeled files in domain.te for more information.
 allow appdomain unlabeled:file x_file_perms;
+auditallow appdomain unlabeled:file x_file_perms;

 ###
 ### CTS-specific rules

--- a/domain.te
+++ b/domain.te
@@ -154,6 +154,9 @@ allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 #
 allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
+auditallow { domain -init } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+auditallow { domain -init -kernel } unlabeled:dir { create_dir_perms relabelfrom };
+auditallow kernel unlabeled:dir ~search;
 neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;

 ###