From 9aea69c004b2c2ce12458374ae32482775f599f4 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 12 Mar 2013 16:05:55 -0400
Subject: [PATCH] Require entrypoint to be explicitly granted for unconfined
 domains.

Change-Id: Ieeaa002061c9e4224ea90dfa60dffb112aa152c2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 unconfined.te | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/unconfined.te b/unconfined.te
index e016584a3..af60be864 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -11,9 +11,8 @@ allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
-allow unconfineddomain fs_type:dir_file_class_set *;
-allow unconfineddomain dev_type:dir_file_class_set *;
-allow unconfineddomain file_type:dir_file_class_set *;
+allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } *;
+allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~entrypoint;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket } node_bind;
 allow unconfineddomain netif_type:netif *;
-- 
GitLab