685e2f9d9c
As suggested in https://android-review.googlesource.com/95966 , remove various syslog_* from unconfined. SELinux domains which want to use syslog_* can declare it themselves. Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4
36 lines
1.4 KiB
Text
36 lines
1.4 KiB
Text
# init switches to init domain (via init.rc).
|
|
type init, domain;
|
|
# init is unconfined.
|
|
unconfined_domain(init)
|
|
tmpfs_domain(init)
|
|
# add a rule to handle unlabelled mounts
|
|
allow init unlabeled:filesystem mount;
|
|
|
|
allow init self:capability { sys_rawio mknod };
|
|
|
|
allow init dev_type:blk_file rw_file_perms;
|
|
allow init fs_type:filesystem *;
|
|
allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
|
allow init kernel:security load_policy;
|
|
allow init kernel:system syslog_mod;
|
|
allow init usermodehelper:file rw_file_perms;
|
|
allow init proc_security:file rw_file_perms;
|
|
|
|
# Transitions to seclabel processes in init.rc
|
|
allow init adbd:process transition;
|
|
allow init healthd:process transition;
|
|
allow init recovery:process transition;
|
|
allow init shell:process transition;
|
|
allow init ueventd:process transition;
|
|
allow init watchdogd:process transition;
|
|
|
|
# Init creates keystore's directory on boot, and walks through
|
|
# the directory as part of a recursive restorecon.
|
|
allow init keystore_data_file:dir { open create read getattr setattr search };
|
|
allow init keystore_data_file:file { getattr };
|
|
|
|
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
|
|
# setexec is for services with seclabel options.
|
|
# setfscreate is for labeling directories and socket files.
|
|
# setsockcreate is for labeling local/unix domain sockets.
|
|
allow init self:process { setexec setfscreate setsockcreate };
|