Skip to content
Snippets Groups Projects
Commit a6c9cdff authored by Nick Kralevich's avatar Nick Kralevich Committed by Android Git Automerger
Browse files

am 9e8b8d9f: Revert "Allow kernel domain, not init domain, to set SELinux enforcing mode." 

* commit '9e8b8d9f':
  Revert "Allow kernel domain, not init domain, to set SELinux enforcing mode."
parents 6c8cbac3 9e8b8d9f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
domain.te
+ 2
11
View file @ a6c9cdff
...@@ -130,17 +130,8 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto; ...@@ -130,17 +130,8 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
### neverallow rules ### neverallow rules
### ###
# Only init should be able to load SELinux policies. # Only init should be able to load SELinux policies and set enforcing mode.
# The first load technically occurs while still in the kernel domain, neverallow { domain -init } kernel:security { load_policy setenforce };
# but this does not trigger a denial since there is no policy yet.
# Policy reload requires allowing this to the init domain.
neverallow { domain -init } kernel:security load_policy;
# Only init prior to switching context should be able to set enforcing mode.
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
neverallow { domain -kernel } kernel:security setenforce;
# Only init, ueventd and system_server should be able to access HW RNG # Only init, ueventd and system_server should be able to access HW RNG
neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *; neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
......
init.te
+ 0
1
View file @ a6c9cdff
...@@ -11,4 +11,3 @@ allow init {fs_type dev_type file_type}:dir_file_class_set relabelto; ...@@ -11,4 +11,3 @@ allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow init kernel:security { load_policy setenforce }; allow init kernel:security { load_policy setenforce };
allow init usermodehelper:file rw_file_perms; allow init usermodehelper:file rw_file_perms;
allow init proc_security:file rw_file_perms; allow init proc_security:file rw_file_perms;
allow init kernel:security load_policy;
kernel.te
+ 0
3
View file @ a6c9cdff
...@@ -6,6 +6,3 @@ relabelto_domain(kernel) ...@@ -6,6 +6,3 @@ relabelto_domain(kernel)
allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto; allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow kernel unlabeled:filesystem mount; allow kernel unlabeled:filesystem mount;
# Initial setenforce by init prior to switching to init domain.
allow kernel self:security setenforce;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment