platform_system_sepolicy/kernel.te
Stephen Smalley 3f40d4f4b1 Remove block device access from unconfined domains.
Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.

Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-12 13:03:38 -05:00

25 lines
876 B
Text

# Life begins with the kernel.
type kernel, domain;
allow kernel init:process dyntransition;
# The kernel is unconfined.
unconfined_domain(kernel)
relabelto_domain(kernel)
allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow kernel unlabeled:filesystem mount;
allow kernel fs_type:filesystem *;
# Initial setenforce by init prior to switching to init domain.
allow kernel self:security setenforce;
# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;
# For operations performed by kernel or init prior to switching to init domain.
## TODO: Investigate whether it is safe to remove these
allow kernel self:capability { sys_rawio mknod };
auditallow kernel self:capability { sys_rawio mknod };
allow kernel dev_type:blk_file rw_file_perms;
auditallow kernel dev_type:blk_file rw_file_perms;