From b8caf7fdd4dcf531900a2f8ab4e762e58eb0e0f9 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 13 Mar 2015 16:42:42 -0400
Subject: [PATCH] Move allow rules before neverallow rules.

There were a few instances where allow rules were appended
after the neverallow rules stanza in the .te file.  Also
there were some regular allow rules inserted into the CTS-specific
rules section of app.te.  Just move the rules as appropriate.
Should be no change in policy.

Change-Id: Iec76f32d4b531d245bbf5dd9f621a71ff5c71f3e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te           | 20 ++++++++++----------
 keystore.te      | 10 +++++-----
 untrusted_app.te |  8 ++++----
 3 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/app.te b/app.te
index 40ec61079..bed6aff86 100644
--- a/app.te
+++ b/app.te
@@ -155,6 +155,16 @@ allow appdomain apk_data_file:file { rx_file_perms execmod };
 allow appdomain resourcecache_data_file:file r_file_perms;
 allow appdomain resourcecache_data_file:dir r_dir_perms;
 
+# logd access
+read_logd(appdomain)
+control_logd(appdomain)
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
+
+use_keystore({ appdomain -isolated_app })
+
 ###
 ### CTS-specific rules
 ###
@@ -171,16 +181,6 @@ selinux_check_context(appdomain)
 # Validate that each process is running in the correct security context.
 allow appdomain domain:process getattr;
 
-# logd access
-read_logd(appdomain)
-control_logd(appdomain)
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
-
-use_keystore({ appdomain -isolated_app })
-
 ###
 ### Neverallow rules
 ###
diff --git a/keystore.te b/keystore.te
index 6a89df33a..3561fede7 100644
--- a/keystore.te
+++ b/keystore.te
@@ -12,6 +12,11 @@ allow keystore keystore_exec:file { getattr };
 allow keystore tee_device:chr_file rw_file_perms;
 allow keystore tee:unix_stream_socket connectto;
 
+allow keystore keystore_service:service_manager { add find };
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
+
 ###
 ### Neverallow rules
 ###
@@ -25,8 +30,3 @@ neverallow { domain -keystore -init } keystore_data_file:dir *;
 neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
 
 neverallow domain keystore:process ptrace;
-
-allow keystore keystore_service:service_manager { add find };
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
diff --git a/untrusted_app.te b/untrusted_app.te
index e880571eb..f645d6aa9 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -138,6 +138,10 @@ auditallow untrusted_app {
     -wifip2p_service
 }:service_manager find;
 
+# Allow verifier to access staged apks.
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+
 ###
 ### neverallow rules
 ###
@@ -162,7 +166,3 @@ neverallow untrusted_app service_manager_type:service_manager add;
 neverallow untrusted_app property_socket:sock_file write;
 neverallow untrusted_app init:unix_stream_socket connectto;
 neverallow untrusted_app property_type:property_service set;
-
-# Allow verifier to access staged apks.
-allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
-allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-- 
GitLab