From b0957fa86d25c40c9f28c27ad0dfd2eb283e9506 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 4 Apr 2013 11:34:58 -0400
Subject: [PATCH] Coalesce rules for allowing execution of shared objects by
 app domains.

Change-Id: I809738e7de038ad69905a77ea71fda4f25035d09
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/app.te b/app.te
index 9ab3ead79..126f5acaf 100644
--- a/app.te
+++ b/app.te
@@ -63,7 +63,6 @@ bluetooth_domain(release_app)
 # set it must be an mlstrustedsubject.
 type isolated_app, domain, mlstrustedsubject;
 app_domain(isolated_app)
-allow isolated_app system_data_file:file { open execute };
 
 #
 # Rules for platform app domains.
@@ -75,8 +74,6 @@ allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_
 # App sdcard file accesses
 allow platformappdomain sdcard_type:dir create_dir_perms;
 allow platformappdomain sdcard_type:file create_file_perms;
-# System data file accesses (e.g, shared objects from the lib directory)
-allow platformappdomain system_data_file:file { execute open };
 
 #
 # Untrusted apps.
@@ -86,7 +83,6 @@ app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 allow untrusted_app tun_device:chr_file rw_file_perms;
-allow untrusted_app system_data_file:file { execute open };
 
 # Internal SDCard rw access.
 bool app_internal_sdcard_rw true;
@@ -134,6 +130,7 @@ allow appdomain platform_app_data_file:file { read write };
 
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
+allow appdomain system_data_file:file { execute open };
 
 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { read write };
-- 
GitLab