Merge "entrypoint should always be explicitly allowed."

ee43230f · Nick Kralevich · Gerrit Code Review · 00b180df · 5622cca0 · ee43230f
Commit ee43230f authored 10 years ago by Nick Kralevich Committed by Gerrit Code Review 10 years ago
--- a/unconfined.te
+++ b/unconfined.te
@@ -59,9 +59,12 @@ allow unconfineddomain {
    -security_file
    -shell_data_file
 }:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
-allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
-allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
+allow unconfineddomain exec_type:dir r_dir_perms;
+allow unconfineddomain exec_type:file { rx_file_perms execmod };
+allow unconfineddomain exec_type:lnk_file r_file_perms;
+allow unconfineddomain system_file:dir r_dir_perms;
+allow unconfineddomain system_file:file { rx_file_perms execmod };
+allow unconfineddomain system_file:lnk_file r_file_perms;
 allow unconfineddomain {
    fs_type
    -usermodehelper
@@ -78,7 +81,7 @@ allow unconfineddomain {
    -security_file
    -shell_data_file
 }:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain { rootfs system_file exec_type }:file execute;
+allow unconfineddomain rootfs:file execute;
 allow unconfineddomain contextmount_type:dir r_dir_perms;
 allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
 allow unconfineddomain node_type:node *;