From 43ddc1069492ed3245a5c686ab5e0eabc618bf74 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 10 Jan 2014 16:43:22 +0000
Subject: [PATCH] Revert "Strip file execute permissions from unconfined
 domains."

I'd like to do more testing to make sure OTA updates aren't broken by this change. Until we do the testing, let's rollback this change.

This reverts commit 5da08810bb0e5724cfc45455cb88dd5fdf8a2d31.

Change-Id: I56a7f47a426cfd3487af1029283bd8ce182d5ab2
---
 unconfined.te | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/unconfined.te b/unconfined.te
index 44ba04676..96fa4fcb4 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -29,10 +29,9 @@ allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
 allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain { rootfs system_file exec_type }:file execute;
+allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod relabelto};
+allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod relabelto};
+allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod relabelto};
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;
-- 
GitLab