Explictly allow init and kernel unlabeled access.

These permissions are already allowed indirectly via unconfineddomain and via domain, but ultimately we plan to remove them from those two attributes. Explicitly allow the ones we expect to be required, matching the complement of the auditallow rules in domain.te. Change-Id: I43edca89d59c159b97d49932239f8952a848031c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Explictly allow init and kernel unlabeled access.
73b0346a · Stephen Smalley · f85c1fc2 · 73b0346a · 73b0346a
Commit 73b0346a authored 10 years ago by Stephen Smalley
--- a/init.te
+++ b/init.te
@@ -19,6 +19,10 @@ allow init unlabeled:filesystem *;
 # we just allow all file types except /system files here.
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;

+# Unlabeled file access for upgrades from 4.2.
+allow init unlabeled:dir { create_dir_perms relabelfrom };
+allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+
 # Reload policy upon setprop selinux.reload_policy 1.
 allow init kernel:security load_policy;


--- a/kernel.te
+++ b/kernel.te
@@ -8,6 +8,9 @@ allow kernel init:process dyntransition;
 # The kernel is unconfined.
 unconfined_domain(kernel)

+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
 # init direct restorecon calls prior to switching to init domain
 # /dev and /dev/socket
 allow kernel { device socket_device }:dir relabelto;