From 853ffaad323b3e5db14d3f2e4fbe7fa96160ede4 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 6 Mar 2014 13:02:50 -0500
Subject: [PATCH] Deduplicate neverallow rules on selinuxfs operations.

We already have neverallow rules for all domains about
loading policy, setting enforcing mode, and setting
checkreqprot, so we can drop redundant ones from netd and appdomain.
Add neverallow rules to domain.te for setbool and setsecparam
and exclude them from unconfined to allow fully eliminating
separate neverallow rules on the :security class from anything
other than domain.te.

Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te        | 7 -------
 domain.te     | 8 ++++++++
 netd.te       | 6 ------
 unconfined.te | 2 +-
 4 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/app.te b/app.te
index 2589f660b..3081f5388 100644
--- a/app.te
+++ b/app.te
@@ -191,13 +191,6 @@ neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file
     { read write };
 neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };
 
-# Set SELinux enforcing mode, booleans or any other SELinux settings.
-neverallow { appdomain -unconfineddomain } kernel:security
-    { setenforce setbool setsecparam setcheckreqprot };
-
-# Load security policy.
-neverallow appdomain kernel:security load_policy;
-
 # Privileged netlink socket interfaces.
 neverallow { appdomain -unconfineddomain }
     self:{
diff --git a/domain.te b/domain.te
index e856288de..c32924591 100644
--- a/domain.te
+++ b/domain.te
@@ -183,6 +183,14 @@ neverallow { domain -init } kernel:security load_policy;
 # switching domains, there is never any need to setenforce again by init.
 neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
 
+# No booleans in AOSP policy, so no need to ever set them.
+neverallow domain kernel:security setbool;
+
+# Adjusting the AVC cache threshold.
+# Not presently allowed to anything in policy, but possibly something
+# that could be set from init.rc.
+neverallow { domain -init } kernel:security setsecparam;
+
 # Only init, ueventd and system_server should be able to access HW RNG
 neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
 
diff --git a/netd.te b/netd.te
index 19fcad22e..50208981f 100644
--- a/netd.te
+++ b/netd.te
@@ -68,12 +68,6 @@ allow netd ctl_default_prop:property_service set;
 # Block device access.
 neverallow netd dev_type:blk_file { read write };
 
-# Setting SELinux enforcing status or booleans.
-neverallow netd kernel:security { setenforce setbool };
-
-# Load security policy.
-neverallow netd kernel:security load_policy;
-
 # ptrace any other app
 neverallow netd { domain }:process ptrace;
 
diff --git a/unconfined.te b/unconfined.te
index 80d42b3e7..c3355c745 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -18,7 +18,7 @@
 
 allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
-allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
+allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
 allow unconfineddomain kernel:system *;
 allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
 allow unconfineddomain domain:fd *;
-- 
GitLab