Merge "reduce duplicate SELinux rules"

b4720ae7 · Treehugger Robot · Gerrit Code Review · 1f690c6a · 34936824 · b4720ae7
Commit b4720ae7 authored 8 years ago by Treehugger Robot Committed by Gerrit Code Review 8 years ago
--- a/system_server.te
+++ b/system_server.te
@@ -111,9 +111,6 @@ allow system_server node:rawip_socket node_bind;
 # 3rd party VPN clients require a tun_socket to be created
 allow system_server self:tun_socket create_socket_perms;
-# Notify init of death.
-allow system_server init:process sigchld;
 # Talk to init and various daemons via sockets.
 unix_socket_connect(system_server, installd, installd)
 unix_socket_connect(system_server, lmkd, lmkd)

--- a/te_macros
+++ b/te_macros
@@ -13,7 +13,7 @@ allow $1 $3:process transition;
 # New domain is entered by executing the file.
 allow $3 $2:file { entrypoint open read execute getattr };
 # New domain can send SIGCHLD to its caller.
-allow $3 $1:process sigchld;
+ifelse($1, `init', `', `allow $3 $1:process sigchld;')
 # Enable AT_SECURE, i.e. libc secure mode.
 dontaudit $1 $3:process noatsecure;
 # XXX dontaudit candidate but requires further study.

--- a/ueventd.te
+++ b/ueventd.te
@@ -8,7 +8,6 @@ tmpfs_domain(ueventd)
 type_transition ueventd device:chr_file klog_device "__kmsg__";
 allow ueventd klog_device:chr_file { create open write unlink };
-allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
 allow ueventd device:chr_file rw_file_perms;