Some file types used as domain entrypoints were missing the
exec_type attribute. Add it and add a neverallow rule to
keep it that way.
Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.
Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.
Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Two new types are introduced:
sdcard_internal
sdcard_external
The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.
The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.
Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
Add policy for run-as program and label it in file_contexts.
Drop MLS constraints on local socket checks other than create/relabel
as this interferes with connections with services, in particular for
adb forward.
Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
