From 73b0346a7d8c500c24731575c118b2fefb8075ea Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 30 May 2014 09:53:00 -0400
Subject: [PATCH] Explictly allow init and kernel unlabeled access.

These permissions are already allowed indirectly via unconfineddomain
and via domain, but ultimately we plan to remove them from those two
attributes.  Explicitly allow the ones we expect to be required,
matching the complement of the auditallow rules in domain.te.

Change-Id: I43edca89d59c159b97d49932239f8952a848031c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 init.te   | 4 ++++
 kernel.te | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/init.te b/init.te
index 5cb947199..5397a8217 100644
--- a/init.te
+++ b/init.te
@@ -19,6 +19,10 @@ allow init unlabeled:filesystem *;
 # we just allow all file types except /system files here.
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 
+# Unlabeled file access for upgrades from 4.2.
+allow init unlabeled:dir { create_dir_perms relabelfrom };
+allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+
 # Reload policy upon setprop selinux.reload_policy 1.
 allow init kernel:security load_policy;
 
diff --git a/kernel.te b/kernel.te
index 96b57407e..1faa9db80 100644
--- a/kernel.te
+++ b/kernel.te
@@ -8,6 +8,9 @@ allow kernel init:process dyntransition;
 # The kernel is unconfined.
 unconfined_domain(kernel)
 
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
 # init direct restorecon calls prior to switching to init domain
 # /dev and /dev/socket
 allow kernel { device socket_device }:dir relabelto;
-- 
GitLab