From f37d6b57138f485c5c128c07a2d7b6011d2ac3a4 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 21 Oct 2014 14:20:19 -0700
Subject: [PATCH] remove init_shell

This domain was originally intended to be a place to hold rules for
all init.*.rc shell scripts. However, it's now recommended that every
init service have it's own SELinux domain, and the use of init_shell
is to be avoided.

Delete init_shell. No policy is using it anymore, and it's causing
confusion for people implementing device specific SELinux policy.

Bug: 18062250
Change-Id: I7c90851784b233443642ea69722f3281fd457621
---
 init_shell.te | 10 ----------
 1 file changed, 10 deletions(-)
 delete mode 100644 init_shell.te

diff --git a/init_shell.te b/init_shell.te
deleted file mode 100644
index 51dbd07e9..000000000
--- a/init_shell.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# Restricted domain for shell processes spawned by init.
-# Normally these are shell commands or scripts invoked via sh
-# from an init*.rc file.  No service should ever run in this domain.
-type init_shell, domain;
-domain_auto_trans(init, shell_exec, init_shell)
-permissive_or_unconfined(init_shell)
-
-# Run helpers from / or /system without changing domain.
-allow init_shell rootfs:file execute_no_trans;
-allow init_shell system_file:file execute_no_trans;
-- 
GitLab