tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/init.te
Stephen Smalley 356f4be679 Restrict requesting contexts other than policy-defined defaults. 
Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission.  Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.

Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 13:14:22 -04:00

35 lines
1.3 KiB
Text
Raw Blame History

# init switches to init domain (via init.rc).
type init, domain;
# init is unconfined.
unconfined_domain(init)
tmpfs_domain(init)
# add a rule to handle unlabelled mounts
allow init unlabeled:filesystem mount;
allow init self:capability { sys_rawio mknod };
allow init dev_type:blk_file rw_file_perms;
allow init fs_type:filesystem *;
allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow init kernel:security load_policy;
allow init usermodehelper:file rw_file_perms;
allow init proc_security:file rw_file_perms;
# Transitions to seclabel processes in init.rc
allow init adbd:process transition;
allow init healthd:process transition;
allow init recovery:process transition;
allow init shell:process transition;
allow init ueventd:process transition;
allow init watchdogd:process transition;
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
Reference in a new issue View git blame Copy permalink