Require entrypoint to be explicitly granted for unconfined domains.

Change-Id: Ieeaa002061c9e4224ea90dfa60dffb112aa152c2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Require entrypoint to be explicitly granted for unconfined domains.
9aea69c0 · Stephen Smalley · Gerrit Code Review · 15b3ceda · 9aea69c0
Commit 9aea69c0 authored 12 years ago by Stephen Smalley Committed by Gerrit Code Review 12 years ago
--- a/unconfined.te
+++ b/unconfined.te
@@ -11,9 +11,8 @@ allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
-allow unconfineddomain fs_type:dir_file_class_set *;
-allow unconfineddomain dev_type:dir_file_class_set *;
-allow unconfineddomain file_type:dir_file_class_set *;
+allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } *;
+allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~entrypoint;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket } node_bind;
 allow unconfineddomain netif_type:netif *;