tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
670 commits 1 branch 0 tags 50 MiB
Commit graph

10 commits

Author SHA1 Message Date
Stephen Smalley
45ba665cfc Label and allow access to /data/system/ndebugsocket. 
Otherwise it defaults to the label of /data/system and
cannot be distinguished from any other socket in that directory.
Also adds allow rule required for pre-existing wpa_socket transition
to function without unconfined_domain.

Change-Id: I57179aa18786bd56d247f397347e546cca978e41
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2013-09-27 16:09:27 -04:00
Nick Kralevich
08f01a335d debuggerd.te: Fix relabelto policy denial 
In 0c9708b2af, we removed relabelto
from unconfined.te.  This broke debuggerd.  Fixed.

type=1400 audit(1373668537.550:5): avc:  denied  { relabelto } for  pid=44 comm="debuggerd" name="tombstones" dev="mtdblock1" ino=71 scontext=u:r:debuggerd:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir

Change-Id: Ic025cbc030d6e776d9d87b1df3240fdc5f0b53d5
 2013-07-12 15:38:41 -07:00
repo sync
77d4731e9d Make all domains unconfined. 
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
 2013-05-20 11:08:05 -07:00
repo sync
50e37b93ac Move domains into per-domain permissive mode. 
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
 2013-05-14 21:36:32 -07:00
William Roberts
7bb2a55c47 Give domains read access to security_file domain. 
/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
 2013-04-05 13:11:23 -07:00
Stephen Smalley
81fe5f7c0f Allow all domains to read the log devices. 
Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2013-04-05 13:07:16 -07:00
rpcraig
abd977a79e Additions for grouper/JB 2012-08-10 06:25:52 -04:00
Stephen Smalley
5f9917c136 Allow debuggerd to restorecon the tombstone directory. 2012-07-31 09:15:46 -04:00
Stephen Smalley
c83d0087e4 Policy changes to support running the latest CTS. 2012-03-07 14:59:01 -05:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00