From f853715d225f1882d0e2aa7cc3b3000c9a640a13 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 27 May 2014 10:41:56 -0400
Subject: [PATCH] Remove setting /proc/self/attr/* from unconfined.

Change I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 removed
these permissions from domain.te and added them to specific domains
as required.  Remove the permissions from unconfineddomain as well
so that they are only allowed where explicitly allowed.  The earlier
change already added the necessary permissions to init, kernel,
and recovery so we do not need to add them here.

Change-Id: Ifeb5438532a7525e64328e1c54b436e9b6f7fd3b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 unconfined.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/unconfined.te b/unconfined.te
index 5a23c3f82..326904a03 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -20,7 +20,7 @@ allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
 allow unconfineddomain kernel:system *;
-allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
+allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition setexec setfscreate setcurrent setkeycreate setsockcreate };
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;
-- 
GitLab