Except the shell domain from the transition neverallow rule.

Shell domain can transition to other domains for runas, ping, etc. Change-Id: If9aabb4f51346dc00a89d03efea25499505f278d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2013-09-30 08:47:54 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> 2013-09-30 08:51:54 -0400
commit: 57085446eb49777189123a994884f76b8491ed26 (patch)
tree: bf972b2be2c55edb7037e6465adb7666f77bdc7b /app.te
parent: 513fb85cddf396c767213ddd01da8b0389463967 (diff)
download: android_external_sepolicy-57085446eb49777189123a994884f76b8491ed26.tar.gz
android_external_sepolicy-57085446eb49777189123a994884f76b8491ed26.tar.bz2
android_external_sepolicy-57085446eb49777189123a994884f76b8491ed26.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/app.te b/app.te
index e292c05..6da0895 100644
--- a/app.te
+++ b/app.te
@@ -205,7 +205,8 @@ neverallow { appdomain -unconfineddomain } { domain -appdomain }:process
     { sigkill sigstop signal };
 
 # Transition to a non-app domain.
-neverallow { appdomain -unconfineddomain } ~appdomain:process
+# Exception for the shell domain, can transition to runas, ping, etc.
+neverallow { appdomain -shell -unconfineddomain } ~appdomain:process
     { transition dyntransition };
 
 # Map low memory.
author	Stephen Smalley <sds@tycho.nsa.gov>	2013-09-30 08:47:54 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	2013-09-30 08:51:54 -0400
commit	57085446eb49777189123a994884f76b8491ed26 (patch)
tree	bf972b2be2c55edb7037e6465adb7666f77bdc7b /app.te
parent	513fb85cddf396c767213ddd01da8b0389463967 (diff)
download	android_external_sepolicy-57085446eb49777189123a994884f76b8491ed26.tar.gz android_external_sepolicy-57085446eb49777189123a994884f76b8491ed26.tar.bz2 android_external_sepolicy-57085446eb49777189123a994884f76b8491ed26.zip