Clean up kernel, init, and recovery domains.

Narrow the relabelto rules to a more specific type set
for each domain.

Drop mount permissions from the kernel domain since mounting
occurs after switching to the init domain.  This was likely
a residual of when all processes were left in the kernel domain
on a recovery boot due to the missing setcon statement in the
recovery init.rc.

Be consistent with unlabeled filesystems (i.e. filesystems
without any matching fs_use or genfs_contexts entry) so
that we can also unmount them.

Add comments to note the reason for various rules.

Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

init.te

@@ -3,17 +3,30 @@ type init, domain;
 # init is unconfined.
 unconfined_domain(init)
 tmpfs_domain(init)
-# add a rule to handle unlabelled mounts
-allow init unlabeled:filesystem mount;
 
 allow init self:capability { sys_rawio mknod };
 
+# Running e2fsck or mkswap via fs_mgr.
 allow init dev_type:blk_file rw_file_perms;
+
+# Mounting filesystems.
 allow init fs_type:filesystem *;
-allow init {fs_type dev_type}:dir_file_class_set relabelto;
+allow init unlabeled:filesystem *;
+
+# restorecon and restorecon_recursive calls from init.rc files.
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
+
+# Reload policy upon setprop selinux.reload_policy 1.
 allow init kernel:security load_policy;
+
+# Any operation that can modify the kernel ring buffer, e.g. clear
+# or a read that consumes the messages that were read.
 allow init kernel:system syslog_mod;
+
+# Set usermodehelpers and /proc security settings.
 allow init usermodehelper:file rw_file_perms;
 allow init proc_security:file rw_file_perms;
 

kernel.te

@@ -8,10 +8,14 @@ allow kernel init:process dyntransition;
 # The kernel is unconfined.
 unconfined_domain(kernel)
 
-allow kernel {fs_type dev_type}:dir_file_class_set relabelto;
-allow kernel {file_type -system_file -exec_type}:dir_file_class_set relabelto;
-allow kernel unlabeled:filesystem mount;
-allow kernel fs_type:filesystem *;
+# init direct restorecon calls prior to switching to init domain
+# /dev and /dev/socket
+allow kernel { device socket_device }:dir relabelto;
+# /dev/__properties__
+allow kernel properties_device:file relabelto;
+# /sys
+allow kernel sysfs:{ dir file lnk_file } relabelfrom;
+allow kernel sysfs_type:{ dir file lnk_file } relabelto;
 
 # Initial setenforce by init prior to switching to init domain.
 # We use dontaudit instead of allow to prevent a kernel spawned userspace

recovery.te

@@ -5,11 +5,12 @@ unconfined_domain(recovery)
 
 allow recovery self:capability2 mac_admin;
 
-allow recovery {dev_type -kmem_device}:dir_file_class_set relabelto;
-allow recovery {fs_type file_type}:dir_file_class_set relabelto;
-allow recovery unlabeled:filesystem mount;
+# Mount filesystems.
 allow recovery fs_type:filesystem *;
+allow recovery unlabeled:filesystem *;
 
+
+# Create and relabel files under /system.
 allow recovery exec_type:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };
 allow recovery system_file:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };