am 73b0346a: Explictly allow init and kernel unlabeled access.

* commit '73b0346a': Explictly allow init and kernel unlabeled access.

am 73b0346a: Explictly allow init and kernel unlabeled access.
871b832c · Stephen Smalley · Android Git Automerger · e3a92d50 · 73b0346a · 871b832c
Commit 871b832c authored 10 years ago by Stephen Smalley Committed by Android Git Automerger 10 years ago
--- a/init.te
+++ b/init.te
@@ -19,6 +19,10 @@ allow init unlabeled:filesystem *;
 # we just allow all file types except /system files here.
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;

+# Unlabeled file access for upgrades from 4.2.
+allow init unlabeled:dir { create_dir_perms relabelfrom };
+allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+
 # Reload policy upon setprop selinux.reload_policy 1.
 allow init kernel:security load_policy;


--- a/kernel.te
+++ b/kernel.te
@@ -8,6 +8,9 @@ allow kernel init:process dyntransition;
 # The kernel is unconfined.
 unconfined_domain(kernel)

+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
 # init direct restorecon calls prior to switching to init domain
 # /dev and /dev/socket
 allow kernel { device socket_device }:dir relabelto;