aboutsummaryrefslogtreecommitdiffstats
path: root/netd.te
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2014-03-06 13:02:50 -0500
committerNick Kralevich <nnk@google.com>2014-03-10 20:41:34 +0000
commit853ffaad323b3e5db14d3f2e4fbe7fa96160ede4 (patch)
tree81b3ef14627d8b6491385ff4217e68dce14c012c /netd.te
parent3696da6e1491926b0da9010464aa3574af91c3fe (diff)
downloadandroid_external_sepolicy-853ffaad323b3e5db14d3f2e4fbe7fa96160ede4.tar.gz
android_external_sepolicy-853ffaad323b3e5db14d3f2e4fbe7fa96160ede4.tar.bz2
android_external_sepolicy-853ffaad323b3e5db14d3f2e4fbe7fa96160ede4.zip
Deduplicate neverallow rules on selinuxfs operations.
We already have neverallow rules for all domains about loading policy, setting enforcing mode, and setting checkreqprot, so we can drop redundant ones from netd and appdomain. Add neverallow rules to domain.te for setbool and setsecparam and exclude them from unconfined to allow fully eliminating separate neverallow rules on the :security class from anything other than domain.te. Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'netd.te')
-rw-r--r--netd.te6
1 files changed, 0 insertions, 6 deletions
diff --git a/netd.te b/netd.te
index 19fcad2..5020898 100644
--- a/netd.te
+++ b/netd.te
@@ -68,12 +68,6 @@ allow netd ctl_default_prop:property_service set;
# Block device access.
neverallow netd dev_type:blk_file { read write };
-# Setting SELinux enforcing status or booleans.
-neverallow netd kernel:security { setenforce setbool };
-
-# Load security policy.
-neverallow netd kernel:security load_policy;
-
# ptrace any other app
neverallow netd { domain }:process ptrace;