diff options
author | repo sync <gcondra@google.com> | 2013-05-17 17:11:29 -0700 |
---|---|---|
committer | repo sync <gcondra@google.com> | 2013-05-20 11:08:05 -0700 |
commit | 77d4731e9d30c8971e076e2469d6957619019921 (patch) | |
tree | a09ca764a3474bfaf20c0aafee0bf3a907d382fe /racoon.te | |
parent | 42cabf341c8a600a218023ec69b3518e3d3d482c (diff) | |
download | android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.tar.gz android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.tar.bz2 android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.zip |
Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.
Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
Diffstat (limited to 'racoon.te')
-rw-r--r-- | racoon.te | 22 |
1 files changed, 1 insertions, 21 deletions
@@ -3,24 +3,4 @@ type racoon, domain; permissive racoon; type racoon_exec, exec_type, file_type; -init_daemon_domain(racoon) -typeattribute racoon mlstrustedsubject; - -binder_call(racoon, servicemanager) -binder_call(racoon, keystore) - -allow racoon tun_device:chr_file r_file_perms; -allow racoon cgroup:dir { add_name create }; -allow racoon kernel:system module_request; -allow racoon port:udp_socket name_bind; -allow racoon node:udp_socket node_bind; - -allow racoon self:{ key_socket udp_socket } create_socket_perms; -allow racoon self:tun_socket create; -allow racoon self:capability { net_admin net_bind_service net_raw setuid }; - -# XXX: should we give ip-up-vpn its own label (currently racoon domain) -allow racoon ppp_system_file:file rx_file_perms; -allow racoon ppp_system_file:dir search; -allow racoon vpn_data_file:file create_file_perms; -allow racoon vpn_data_file:dir w_dir_perms; +unconfined_domain(racoon) |