Don't allow types which are both file_type and fs_type

It's a bug to have a type with both the file_type and fs_type attribute. A type should be declared with either file_type, or fs_type, but not both. Create a neverallow rule which detects this situation. This works because we have the following allow rule: allow fs_type self:filesystem associate; If a type is a file_type and an fs_type, the associate allow rule will conflict with this neverallow rule. Not sure if this is the cleanest way to accomplish this, but it seems to work. Change-Id: Ida387b1df260efca15de38ae7a66ed25e353acaa

Don't allow types which are both file_type and fs_type
48212742 · Nick Kralevich · ff409bb4 · 48212742
Commit 48212742 authored 10 years ago by Nick Kralevich
--- a/file.te
+++ b/file.te
@@ -154,3 +154,12 @@ allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;
 allow dev_type tmpfs:filesystem associate;
+# It's a bug to assign the file_type attribute and fs_type attribute
+# to any type. Do not allow it.
+#
+# For example, the following is a bug:
+#   type apk_data_file, file_type, data_file_type, fs_type;
+# Should be:
+#   type apk_data_file, file_type, data_file_type;
+neverallow fs_type file_type:filesystem *;