Merge "Remove MAC capabilities from unconfined domains."

8d9ef067 · Nick Kralevich · Gerrit Code Review · 0cbf06fd · 04ee5dfb · 8d9ef067
Commit 8d9ef067 authored 11 years ago by Nick Kralevich Committed by Gerrit Code Review 11 years ago
--- a/domain.te
+++ b/domain.te
@@ -147,6 +147,9 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 ### neverallow rules
 ###

+neverallow domain self:capability2 mac_override;
+neverallow { domain -recovery } self:capability2 mac_admin;
+
 # Only init should be able to load SELinux policies.
 # The first load technically occurs while still in the kernel domain,
 # but this does not trigger a denial since there is no policy yet.

--- a/recovery.te
+++ b/recovery.te
@@ -4,6 +4,8 @@ allow recovery rootfs:file entrypoint;
 unconfined_domain(recovery)
 relabelto_domain(recovery)

+allow recovery self:capability2 mac_admin;
+
 allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
 allow recovery unlabeled:filesystem mount;


--- a/unconfined.te
+++ b/unconfined.te
@@ -16,7 +16,8 @@
 # The use of this template is discouraged.
 ######################################################

-allow unconfineddomain self:capability_class_set *;
+allow unconfineddomain self:capability *;
+allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
 allow unconfineddomain kernel:system *;
 allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };