From 685e2f9d9c0d3f64e9eabb789adb0b34f5f11836 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 28 May 2014 13:48:52 -0700
Subject: [PATCH] remove syslog_* from unconfined

As suggested in https://android-review.googlesource.com/95966 , remove
various syslog_* from unconfined. SELinux domains which want to use
syslog_* can declare it themselves.

Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4
---
 app.te        | 4 ++--
 init.te       | 1 +
 unconfined.te | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/app.te b/app.te
index 296a53647..611675782 100644
--- a/app.te
+++ b/app.te
@@ -317,9 +317,9 @@ neverallow { appdomain -unconfineddomain }
     proc:dir_file_class_set write;
 
 # Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain -system_app -unconfineddomain }
+neverallow { appdomain -system_app }
     kernel:system { syslog_mod syslog_console };
-neverallow { appdomain -system_app -unconfineddomain -shelldomain }
+neverallow { appdomain -system_app -shelldomain }
     kernel:system syslog_read;
 
 # Ability to perform any filesystem operation other than statfs(2).
diff --git a/init.te b/init.te
index e94ca4784..028c46109 100644
--- a/init.te
+++ b/init.te
@@ -12,6 +12,7 @@ allow init dev_type:blk_file rw_file_perms;
 allow init fs_type:filesystem *;
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security load_policy;
+allow init kernel:system syslog_mod;
 allow init usermodehelper:file rw_file_perms;
 allow init proc_security:file rw_file_perms;
 
diff --git a/unconfined.te b/unconfined.te
index 326904a03..d4009f0ac 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -19,7 +19,7 @@
 allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable };
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
-allow unconfineddomain kernel:system *;
+allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
 allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition setexec setfscreate setcurrent setkeycreate setsockcreate };
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
-- 
GitLab