From c2ba5ed90876e7c3f105ed658788557c68ab72b8 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 26 Jun 2014 16:30:10 -0700
Subject: [PATCH] recovery: start enforcing SELinux rules

Start enforcing SELinux rules for recovery. I've been monitoring
denials, and I haven't seen anything which would indicate a problem.
We can always roll this back if something goes wrong.

Change-Id: I7d3a147f8b9000bf8181d2aa32520f15f291a6f3
---
 recovery.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/recovery.te b/recovery.te
index 282ed3e4d..9c5900381 100644
--- a/recovery.te
+++ b/recovery.te
@@ -8,7 +8,6 @@ type recovery, domain;
 # Otherwise recovery is only allowed the domain rules.
 recovery_only(`
   allow recovery rootfs:file { entrypoint execute };
-  permissive_or_unconfined(recovery)
 
   allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
 
-- 
GitLab