From 5da08810bb0e5724cfc45455cb88dd5fdf8a2d31 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 8 Jan 2014 10:35:13 -0500
Subject: [PATCH] Strip file execute permissions from unconfined domains.

Exclude execute from the rules allowing access to files,
and only add it back for the rootfs and files labeled
with system_file (/system, /vendor) or one of the types in exec_type
(files under /system that cause domain transitions).

Change-Id: Ic72d76dc92e79bcc75a38398425af3bb1274a009
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 unconfined.te | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/unconfined.te b/unconfined.te
index 96fa4fcb4..44ba04676 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -29,9 +29,10 @@ allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
 allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod relabelto};
-allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod relabelto};
-allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod relabelto};
+allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;
-- 
GitLab