Merge "Revisit kernel setenforce"

f67e0ef3 · Nick Kralevich · Gerrit Code Review · 4fc25052 · abae8a9b · f67e0ef3
Commit f67e0ef3 authored 10 years ago by Nick Kralevich Committed by Gerrit Code Review 10 years ago
--- a/domain.te
+++ b/domain.te
@@ -169,7 +169,8 @@ neverallow { domain -init } kernel:security load_policy;
 # init starts in kernel domain and switches to init domain via setcon in
 # the init.rc, so the setenforce occurs while still in kernel. After
 # switching domains, there is never any need to setenforce again by init.
-neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
+neverallow domain kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
 # No booleans in AOSP policy, so no need to ever set them.
 neverallow domain kernel:security setbool;

--- a/kernel.te
+++ b/kernel.te
@@ -11,7 +11,9 @@ allow kernel unlabeled:filesystem mount;
 allow kernel fs_type:filesystem *;
 # Initial setenforce by init prior to switching to init domain.
-allow kernel self:security setenforce;
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
 # Set checkreqprot by init.rc prior to switching to init domain.
 allow kernel self:security setcheckreqprot;