Revert "Allow kernel domain, not init domain, to set SELinux enforcing mode."
The build is broken. Reverting temporarily to fix breakage.
libsepol.check_assertion_helper: neverallow on line 4758 violated by allow init kernel:security { setenforce };
Error while expanding policy
make: *** [out/target/product/mako/obj/ETC/sepolicy_intermediates/sepolicy] Error 1
make: *** Waiting for unfinished jobs....
This reverts commit bf12e22514.
Change-Id: I78a05756d8ce3c7d06e1d9d27e6135f4b352bb85
This commit is contained in:
Nick Kralevich
parent
bf12e22514
commit
9e8b8d9fdf
3 changed files with 2 additions and 15 deletions
13
domain.te
13
domain.te
|
|
@ -130,17 +130,8 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
|
|||
### neverallow rules
|
||||
###
|
||||
|
||||
# Only init should be able to load SELinux policies.
|
||||
# The first load technically occurs while still in the kernel domain,
|
||||
# but this does not trigger a denial since there is no policy yet.
|
||||
# Policy reload requires allowing this to the init domain.
|
||||
neverallow { domain -init } kernel:security load_policy;
|
||||
|
||||
# Only init prior to switching context should be able to set enforcing mode.
|
||||
# init starts in kernel domain and switches to init domain via setcon in
|
||||
# the init.rc, so the setenforce occurs while still in kernel. After
|
||||
# switching domains, there is never any need to setenforce again by init.
|
||||
neverallow { domain -kernel } kernel:security setenforce;
|
||||
# Only init should be able to load SELinux policies and set enforcing mode.
|
||||
neverallow { domain -init } kernel:security { load_policy setenforce };
|
||||
|
||||
# Only init, ueventd and system_server should be able to access HW RNG
|
||||
neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
|
||||
|
|
|
|||
1
init.te
1
init.te
|
|
@ -11,4 +11,3 @@ allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
|||
allow init kernel:security { load_policy setenforce };
|
||||
allow init usermodehelper:file rw_file_perms;
|
||||
allow init proc_security:file rw_file_perms;
|
||||
allow init kernel:security load_policy;
|
||||
|
|
|
|||
|
|
@ -6,6 +6,3 @@ relabelto_domain(kernel)
|
|||
|
||||
allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
||||
allow kernel unlabeled:filesystem mount;
|
||||
|
||||
# Initial setenforce by init prior to switching to init domain.
|
||||
allow kernel self:security setenforce;
|
||||
|
|
|
|||
Loading…
Reference in a new issue