diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-03-06 13:02:50 -0500 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2014-03-10 20:41:34 +0000 |
commit | 853ffaad323b3e5db14d3f2e4fbe7fa96160ede4 (patch) | |
tree | 81b3ef14627d8b6491385ff4217e68dce14c012c /netd.te | |
parent | 3696da6e1491926b0da9010464aa3574af91c3fe (diff) | |
download | android_external_sepolicy-853ffaad323b3e5db14d3f2e4fbe7fa96160ede4.tar.gz android_external_sepolicy-853ffaad323b3e5db14d3f2e4fbe7fa96160ede4.tar.bz2 android_external_sepolicy-853ffaad323b3e5db14d3f2e4fbe7fa96160ede4.zip |
Deduplicate neverallow rules on selinuxfs operations.
We already have neverallow rules for all domains about
loading policy, setting enforcing mode, and setting
checkreqprot, so we can drop redundant ones from netd and appdomain.
Add neverallow rules to domain.te for setbool and setsecparam
and exclude them from unconfined to allow fully eliminating
separate neverallow rules on the :security class from anything
other than domain.te.
Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'netd.te')
-rw-r--r-- | netd.te | 6 |
1 files changed, 0 insertions, 6 deletions
@@ -68,12 +68,6 @@ allow netd ctl_default_prop:property_service set; # Block device access. neverallow netd dev_type:blk_file { read write }; -# Setting SELinux enforcing status or booleans. -neverallow netd kernel:security { setenforce setbool }; - -# Load security policy. -neverallow netd kernel:security load_policy; - # ptrace any other app neverallow netd { domain }:process ptrace; |