Deduplicate neverallow rules on selinuxfs operations.

We already have neverallow rules for all domains about loading policy, setting enforcing mode, and setting checkreqprot, so we can drop redundant ones from netd and appdomain. Add neverallow rules to domain.te for setbool and setsecparam and exclude them from unconfined to allow fully eliminating separate neverallow rules on the :security class from anything other than domain.te. Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Deduplicate neverallow rules on selinuxfs operations.
853ffaad · Stephen Smalley · Nick Kralevich · 3696da6e · 853ffaad · 853ffaad
Commit 853ffaad authored 11 years ago by Stephen Smalley Committed by Nick Kralevich 11 years ago
--- a/app.te
+++ b/app.te
@@ -191,13 +191,6 @@ neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file
    { read write };
 neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };

-# Set SELinux enforcing mode, booleans or any other SELinux settings.
-neverallow { appdomain -unconfineddomain } kernel:security
-    { setenforce setbool setsecparam setcheckreqprot };
-
-# Load security policy.
-neverallow appdomain kernel:security load_policy;
-
 # Privileged netlink socket interfaces.
 neverallow { appdomain -unconfineddomain }
    self:{

--- a/domain.te
+++ b/domain.te
@@ -183,6 +183,14 @@ neverallow { domain -init } kernel:security load_policy;
 # switching domains, there is never any need to setenforce again by init.
 neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };

+# No booleans in AOSP policy, so no need to ever set them.
+neverallow domain kernel:security setbool;
+
+# Adjusting the AVC cache threshold.
+# Not presently allowed to anything in policy, but possibly something
+# that could be set from init.rc.
+neverallow { domain -init } kernel:security setsecparam;
+
 # Only init, ueventd and system_server should be able to access HW RNG
 neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;


--- a/netd.te
+++ b/netd.te
@@ -68,12 +68,6 @@ allow netd ctl_default_prop:property_service set;
 # Block device access.
 neverallow netd dev_type:blk_file { read write };

-# Setting SELinux enforcing status or booleans.
-neverallow netd kernel:security { setenforce setbool };
-
-# Load security policy.
-neverallow netd kernel:security load_policy;
-
 # ptrace any other app
 neverallow netd { domain }:process ptrace;


--- a/unconfined.te
+++ b/unconfined.te
@@ -18,7 +18,7 @@

 allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
-allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
+allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
 allow unconfineddomain kernel:system *;
 allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
 allow unconfineddomain domain:fd *;