03ce512072
Don't allow writes to /system from unconfined domains. /system is always mounted read-only, and no process should ever need to write there. Allow recovery to write to /system. This is needed to apply OTA images. Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
22 lines
771 B
Text
22 lines
771 B
Text
# Life begins with the kernel.
|
|
type kernel, domain;
|
|
|
|
# setcon to init domain.
|
|
allow kernel self:process setcurrent;
|
|
allow kernel init:process dyntransition;
|
|
|
|
# The kernel is unconfined.
|
|
unconfined_domain(kernel)
|
|
|
|
allow kernel {fs_type dev_type}:dir_file_class_set relabelto;
|
|
allow kernel {file_type -system_file -exec_type}:dir_file_class_set relabelto;
|
|
allow kernel unlabeled:filesystem mount;
|
|
allow kernel fs_type:filesystem *;
|
|
|
|
# Initial setenforce by init prior to switching to init domain.
|
|
# We use dontaudit instead of allow to prevent a kernel spawned userspace
|
|
# process from turning off SELinux once enabled.
|
|
dontaudit kernel self:security setenforce;
|
|
|
|
# Set checkreqprot by init.rc prior to switching to init domain.
|
|
allow kernel self:security setcheckreqprot;
|