From 57085446eb49777189123a994884f76b8491ed26 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 30 Sep 2013 08:47:54 -0400
Subject: [PATCH] Except the shell domain from the transition neverallow rule.

Shell domain can transition to other domains for runas, ping, etc.

Change-Id: If9aabb4f51346dc00a89d03efea25499505f278d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app.te b/app.te
index e292c0547..6da0895a9 100644
--- a/app.te
+++ b/app.te
@@ -205,7 +205,8 @@ neverallow { appdomain -unconfineddomain } { domain -appdomain }:process
     { sigkill sigstop signal };
 
 # Transition to a non-app domain.
-neverallow { appdomain -unconfineddomain } ~appdomain:process
+# Exception for the shell domain, can transition to runas, ping, etc.
+neverallow { appdomain -shell -unconfineddomain } ~appdomain:process
     { transition dyntransition };
 
 # Map low memory.
-- 
GitLab