Skip to content
Snippets Groups Projects
Commit b1a14d9b authored by Nick Kralevich's avatar Nick Kralevich Committed by Android Git Automerger
Browse files

am 4abd409a: Relax neverallow rule for loading an updated SELinux policy. 

* commit '4abd409a':
  Relax neverallow rule for loading an updated SELinux policy.
parents bef30f8c 4abd409a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 3 additions and 2 deletions
domain.te
+ 3
2
View file @ b1a14d9b
...@@ -209,10 +209,11 @@ neverallow domain self:capability2 mac_override; ...@@ -209,10 +209,11 @@ neverallow domain self:capability2 mac_override;
# Only recovery needs mac_admin to set contexts not defined in current policy. # Only recovery needs mac_admin to set contexts not defined in current policy.
neverallow { domain -recovery } self:capability2 mac_admin; neverallow { domain -recovery } self:capability2 mac_admin;
# Nobody should be able to load a new SELinux policy. # Only init should be able to load SELinux policies.
# The first load technically occurs while still in the kernel domain, # The first load technically occurs while still in the kernel domain,
# but this does not trigger a denial since there is no policy yet. # but this does not trigger a denial since there is no policy yet.
neverallow domain kernel:security load_policy; # Policy reload requires allowing this to the init domain.
neverallow { domain -init } kernel:security load_policy;
# Only init and the system_server can set selinux.reload_policy 1 # Only init and the system_server can set selinux.reload_policy 1
# to trigger a policy reload. # to trigger a policy reload.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment