Relax neverallow rule for loading an updated SELinux policy.

Revert the neverallow change portion of 356df32778, in case others need to do dynamic policy updates. Bug: 22885422 Bug: 8949824 Change-Id: If2c13d112b346db5c011a6a61bc4486b43d46d61
2015-08-03 08:28:26 -07:00 · 2015-08-03 08:28:26 -07:00 · e827a8ab27
commit e827a8ab27
parent dde8290372
2 changed files with 6 additions and 2 deletions
--- a/domain.te
+++ b/domain.te
@ -208,10 +208,11 @@ neverallow domain self:capability2 mac_override;
 # Only recovery needs mac_admin to set contexts not defined in current policy.
 neverallow { domain -recovery } self:capability2 mac_admin;

-# Nobody should be able to load a new SELinux policy.
+# Only init should be able to load SELinux policies.
 # The first load technically occurs while still in the kernel domain,
 # but this does not trigger a denial since there is no policy yet.
-neverallow domain kernel:security load_policy;
+# Policy reload requires allowing this to the init domain.
+neverallow { domain -init } kernel:security load_policy;

 # Only init and the system_server can set selinux.reload_policy 1
 # to trigger a policy reload.
--- a/init.te
+++ b/init.te
@ -122,6 +122,9 @@ allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 allow init security_file:dir { create setattr };

 # Reload policy upon setprop selinux.reload_policy 1.
+# Note: this requires the following allow rule
+#   allow init kernel:security load_policy;
+# which can be configured on a device-by-device basis if needed.
 r_dir_file(init, security_file)

 # Any operation that can modify the kernel ring buffer, e.g. clear