From 2562843425bb5f13e42b8605a1568308c6faff71 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 18 Apr 2014 09:27:37 -0400
Subject: [PATCH] Audit accesses on unlabeled files.

To see whether we can safely remove these allow rules on unlabeled files
since we now have restorecon_recursive /data in init.rc to fully relabel
legacy userdata partitions, audit all accesses on such files.

Exclude the init domain since it performs the restorecon_recursive /data
and therefore will read unlabeled directories, stat unlabeled files,
and relabel unlabeled directories and files on upgrade.  init may also
create/write unlabeled files in /data prior to the restorecon_recursive
/data being called.

Exclude the kernel domain for search on unlabeled:dir as this happens
during cgroup filesystem initialization in the kernel as a side effect
of populating the cgroup directory during the superblock initialization
before SELinux has set the label on the root directory.

Change-Id: Ieb5d807f529db9a4bf3e6c93e6b37c9648c04633
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te    | 1 +
 domain.te | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/app.te b/app.te
index f6b730c3f..83bb78c4a 100644
--- a/app.te
+++ b/app.te
@@ -126,6 +126,7 @@ allow appdomain dalvikcache_profiles_data_file:file write;
 # For legacy unlabeled userdata on existing devices.
 # See discussion of Unlabeled files in domain.te for more information.
 allow appdomain unlabeled:file x_file_perms;
+auditallow appdomain unlabeled:file x_file_perms;
 
 ###
 ### CTS-specific rules
diff --git a/domain.te b/domain.te
index 57a5b504a..f61fd1634 100644
--- a/domain.te
+++ b/domain.te
@@ -154,6 +154,9 @@ allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 #
 allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
+auditallow { domain -init } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+auditallow { domain -init -kernel } unlabeled:dir { create_dir_perms relabelfrom };
+auditallow kernel unlabeled:dir ~search;
 neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 
 ###
-- 
GitLab