Commit 853ffaad authored 11 years ago by Stephen Smalley Committed by Nick Kralevich 11 years ago

Deduplicate neverallow rules on selinuxfs operations.


We already have neverallow rules for all domains about
loading policy, setting enforcing mode, and setting
checkreqprot, so we can drop redundant ones from netd and appdomain.
Add neverallow rules to domain.te for setbool and setsecparam
and exclude them from unconfined to allow fully eliminating
separate neverallow rules on the :security class from anything
other than domain.te.

Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

parent 3696da6e

No related branches found

No related tags found

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 9 additions and 14 deletions

Please register or to comment