From 5622cca0807eec1460ede5aea1ff1759d5e9e824 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 17 Jun 2014 15:59:58 -0400
Subject: [PATCH] entrypoint should always be explicitly allowed.

Also rewrite to use positive permission sets, macros, and
eliminate duplication.

Change-Id: I4dc340784f770e569160025a5db2dc3da90d2629
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 unconfined.te | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/unconfined.te b/unconfined.te
index 8e40b063e..ce51f306f 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -59,9 +59,12 @@ allow unconfineddomain {
     -security_file
     -shell_data_file
 }:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
-allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
-allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
+allow unconfineddomain exec_type:dir r_dir_perms;
+allow unconfineddomain exec_type:file { rx_file_perms execmod };
+allow unconfineddomain exec_type:lnk_file r_file_perms;
+allow unconfineddomain system_file:dir r_dir_perms;
+allow unconfineddomain system_file:file { rx_file_perms execmod };
+allow unconfineddomain system_file:lnk_file r_file_perms;
 allow unconfineddomain {
     fs_type
     -usermodehelper
@@ -78,7 +81,7 @@ allow unconfineddomain {
     -security_file
     -shell_data_file
 }:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain { rootfs system_file exec_type }:file execute;
+allow unconfineddomain rootfs:file execute;
 allow unconfineddomain contextmount_type:dir r_dir_perms;
 allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
 allow unconfineddomain node_type:node *;
-- 
GitLab