From fed8a2a4d998ac7c8c4ebce585e5de14e95af10b Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 24 Jan 2014 20:43:07 -0800
Subject: [PATCH] Remove transition / dyntransition from unconfined

Require all domain transitions or dyntransitions to be
explicitly specified in SELinux policy.

healthd: Remove healthd_exec / init_daemon_domain().
Healthd lives on the rootfs and has no unique file type.
It should be treated consistent with other similar domains.

Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
---
 healthd.te    | 2 --
 init.te       | 8 ++++++++
 kernel.te     | 3 +++
 unconfined.te | 2 +-
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/healthd.te b/healthd.te
index 125ced096..02c7ba814 100644
--- a/healthd.te
+++ b/healthd.te
@@ -1,9 +1,7 @@
 # healthd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type healthd, domain;
-type healthd_exec, exec_type, file_type;
 
-init_daemon_domain(healthd)
 allow healthd rootfs:file { read entrypoint };
 write_klog(healthd)
 # /dev/__null__ created by init prior to policy load,
diff --git a/init.te b/init.te
index abe5e78a6..bab0df369 100644
--- a/init.te
+++ b/init.te
@@ -11,3 +11,11 @@ allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security load_policy;
 allow init usermodehelper:file rw_file_perms;
 allow init proc_security:file rw_file_perms;
+
+# Transitions to seclabel processes in init.rc
+allow init adbd:process transition;
+allow init healthd:process transition;
+allow init recovery:process transition;
+allow init shell:process transition;
+allow init ueventd:process transition;
+allow init watchdogd:process transition;
diff --git a/kernel.te b/kernel.te
index 4ccce20f1..dfc625825 100644
--- a/kernel.te
+++ b/kernel.te
@@ -1,5 +1,8 @@
 # Life begins with the kernel.
 type kernel, domain;
+
+allow kernel init:process dyntransition;
+
 # The kernel is unconfined.
 unconfined_domain(kernel)
 relabelto_domain(kernel)
diff --git a/unconfined.te b/unconfined.te
index 44ba04676..9facc2e18 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -19,7 +19,7 @@
 allow unconfineddomain self:capability_class_set *;
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
 allow unconfineddomain kernel:system *;
-allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace };
+allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;
-- 
GitLab