From a60abdce689f49dd8baba54fa2fe462430c58dea Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 29 Oct 2013 14:42:36 -0400
Subject: [PATCH] Confine gpsd, but leave it permissive for now.

Change-Id: Ie7414b49eac92f7d57789cc3082dbce774561126
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 gpsd.te | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/gpsd.te b/gpsd.te
index 403a6b75d..c628631da 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -1,11 +1,21 @@
 # gpsd - GPS daemon
 type gpsd, domain;
+permissive_or_unconfined(gpsd)
 type gpsd_exec, exec_type, file_type;
 
 init_daemon_domain(gpsd)
 net_domain(gpsd)
-unconfined_domain(gpsd)
+allow gpsd gps_data_file:dir rw_dir_perms;
+allow gpsd gps_data_file:notdevfile_class_set create_file_perms;
 # Socket is created by the daemon, not by init, and under /data/gps,
 # not under /dev/socket.
 type_transition gpsd gps_data_file:sock_file gps_socket;
+allow gpsd gps_socket:sock_file create_file_perms;
+# XXX Label sysfs files with a specific type?
+allow gpsd sysfs:file rw_file_perms;
 
+allow gpsd gps_device:chr_file rw_file_perms;
+
+# Execute the shell or system commands.
+allow gpsd shell_exec:file rx_file_perms;
+allow gpsd system_file:file rx_file_perms;
-- 
GitLab