Make all domains unconfined.

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

1 files changed, 1 insertions, 21 deletions

diff --git a/racoon.te b/racoon.te
index 4cebb7b..2d3afb8 100644
--- a/racoon.te
+++ b/racoon.te
@@ -3,24 +3,4 @@ type racoon, domain;
 permissive racoon;
 type racoon_exec, exec_type, file_type;
 
-init_daemon_domain(racoon)
-typeattribute racoon mlstrustedsubject;
-
-binder_call(racoon, servicemanager)
-binder_call(racoon, keystore)
-
-allow racoon tun_device:chr_file r_file_perms;
-allow racoon cgroup:dir { add_name create };
-allow racoon kernel:system module_request;
-allow racoon port:udp_socket name_bind;
-allow racoon node:udp_socket node_bind;
-
-allow racoon self:{ key_socket udp_socket } create_socket_perms;
-allow racoon self:tun_socket create;
-allow racoon self:capability { net_admin net_bind_service net_raw setuid };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon ppp_system_file:file rx_file_perms;
-allow racoon ppp_system_file:dir search;
-allow racoon vpn_data_file:file create_file_perms;
-allow racoon vpn_data_file:dir w_dir_perms;
+unconfined_domain(racoon)