Revert "Revert "Strip file execute permissions from unconfined domains.""

The recovery console now has its own domain and therefore we do not
need to allow this for unconfined domains.

This reverts commit 43ddc10694.

Change-Id: Id2d2c02ccf6ac38c48b07ab84b73348cd9c815fa
This commit is contained in:
Stephen Smalley 2014-01-13 15:11:54 -05:00
parent 8aae7bda9b
commit 08fffc5db6

View file

@ -29,9 +29,10 @@ allow unconfineddomain domain:ipc_class_set *;
allow unconfineddomain domain:key *;
allow unconfineddomain fs_type:filesystem *;
allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod relabelto};
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod relabelto};
allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod relabelto};
allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain { rootfs system_file exec_type }:file execute;
allow unconfineddomain node_type:node *;
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow unconfineddomain netif_type:netif *;