remove shell_data_file from unconfined.

Domains which want to access /data/local/tmp must do so by creating their own SELinux domain. Bug: 15164984 Change-Id: I0061129c64e659c552cf6565058b0786fba59ae0

remove shell_data_file from unconfined.
ee49c0e3 · Nick Kralevich · 90cb59fd · ee49c0e3 · ee49c0e3
Commit ee49c0e3 authored 10 years ago by Nick Kralevich
--- a/init.te
+++ b/init.te
@@ -54,6 +54,10 @@ allow init watchdogd:process transition;
 allow init keystore_data_file:dir { open create read getattr setattr search };
 allow init keystore_data_file:file { getattr };
+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
 # Use setexeccon(), setfscreatecon(), and setsockcreatecon().
 # setexec is for services with seclabel options.
 # setfscreate is for labeling directories and socket files.

--- a/unconfined.te
+++ b/unconfined.te
@@ -49,13 +49,29 @@ allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain {fs_type dev_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {
+    file_type
+    -keystore_data_file
+    -property_data_file
+    -system_file
+    -exec_type
+    -security_file
+    -shell_data_file
+}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {
+    file_type
+    -keystore_data_file
+    -property_data_file
+    -system_file
+    -exec_type
+    -security_file
+    -shell_data_file
+}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;