From 6d10ca8fb6b2938b4b45a7512e483420d892842a Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 13 Jan 2014 09:45:45 -0500
Subject: [PATCH] Add a domain for the recovery console.

Define a domain for use by the recovery init.rc file for
/sbin/recovery.  Start with a copy of the kernel domain
rules since that is what /sbin/recovery was previously running in,
and then add rules as appropriate.

Change-Id:  Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 recovery.te | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 recovery.te

diff --git a/recovery.te b/recovery.te
new file mode 100644
index 000000000..a52b2b546
--- /dev/null
+++ b/recovery.te
@@ -0,0 +1,11 @@
+# recovery console (used in recovery init.rc for /sbin/recovery)
+type recovery, domain;
+allow recovery rootfs:file entrypoint;
+unconfined_domain(recovery)
+relabelto_domain(recovery)
+
+allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
+allow recovery unlabeled:filesystem mount;
+
+allow recovery self:process execmem;
+allow recovery cache_file:file rx_file_perms;