platform_system_sepolicy/init.te

# init switches to init domain (via init.rc).
type init, domain;
permissive init;
# init is unconfined.
unconfined_domain(init)
tmpfs_domain(init)
relabelto_domain(init)
# add a rule to handle unlabelled mounts
allow init unlabeled:filesystem mount;

allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow init kernel:security load_policy;
SE Android policy. 2012-01-04 18:33:27 +01:00			`# init switches to init domain (via init.rc).`
			`type init, domain;`
Move domains into per-domain permissive mode. Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1 2013-05-15 06:02:55 +02:00			`permissive init;`
SE Android policy. 2012-01-04 18:33:27 +01:00			`# init is unconfined.`
			`unconfined_domain(init)`
			`tmpfs_domain(init)`
domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88 2013-07-10 23:46:05 +02:00			`relabelto_domain(init)`
Make all domains unconfined. This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11 2013-05-18 02:11:29 +02:00			`# add a rule to handle unlabelled mounts`
			`allow init unlabeled:filesystem mount;`
domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88 2013-07-10 23:46:05 +02:00
			`allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;`
Only init should be able to load a security policy Bug: 9859477 Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b 2013-07-16 02:10:35 +02:00			`allow init kernel:security load_policy;`