am fea6e66f: Allow kernel domain, not init domain, to set SELinux enforcing mode.

* commit 'fea6e66f':
  Allow kernel domain, not init domain, to set SELinux enforcing mode.

domain.te

@@ -130,8 +130,17 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 ### neverallow rules
 ###
 
-# Only init should be able to load SELinux policies and set enforcing mode.
-neverallow { domain -init } kernel:security { load_policy setenforce };
+# Only init should be able to load SELinux policies.
+# The first load technically occurs while still in the kernel domain,
+# but this does not trigger a denial since there is no policy yet.
+# Policy reload requires allowing this to the init domain.
+neverallow { domain -init } kernel:security load_policy;
+
+# Only init prior to switching context should be able to set enforcing mode.
+# init starts in kernel domain and switches to init domain via setcon in
+# the init.rc, so the setenforce occurs while still in kernel. After
+# switching domains, there is never any need to setenforce again by init.
+neverallow { domain -kernel } kernel:security setenforce;
 
 # Only init, ueventd and system_server should be able to access HW RNG
 neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;

init.te

@@ -8,6 +8,6 @@ relabelto_domain(init)
 allow init unlabeled:filesystem mount;
 
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
-allow init kernel:security { load_policy setenforce };
+allow init kernel:security load_policy;
 allow init usermodehelper:file rw_file_perms;
 allow init proc_security:file rw_file_perms;

kernel.te

@@ -6,3 +6,6 @@ relabelto_domain(kernel)
 
 allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow kernel unlabeled:filesystem mount;
+
+# Initial setenforce by init prior to switching to init domain.
+allow kernel self:security setenforce;