Change I4be1c987a5d69ac784a56d42fc2c9063c402de11 removed all
netdomain allow rules at the same time domains were made unconfined.
Prior to that change, any domain that used the net_domain() macro
would be granted permissions required to use the network via these rules.
The change made the netdomain attribute unused in any rules, thereby
rendering the net_domain() calls pointless and requiring the allow
rules to be duplicated for any domain requiring network access. There
are two ways to resolve this inconsistency:
1. Restore the netdomain rules as in this change. In that case,
some rules in app.te can be removed as they are redundant with these rules.
-or-
2. Completely remove the netdomain attribute, the net_domain() macro,
and all calls to it. In that case, each domain that requires network
access will need to duplicate these rules or the necessary subset in order
to function.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Change-Id: Ia54f0cd0bbda5c510423b1046626bd50f79ed7b6
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.
Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
