recovery: start enforcing SELinux rules

Start enforcing SELinux rules for recovery. I've been monitoring denials, and I haven't seen anything which would indicate a problem. We can always roll this back if something goes wrong. Change-Id: I7d3a147f8b9000bf8181d2aa32520f15f291a6f3
author: Nick Kralevich <nnk@google.com> 2014-06-26 16:30:10 -0700
committer: Nick Kralevich <nnk@google.com> 2014-07-07 22:05:28 +0000
commit: c2ba5ed90876e7c3f105ed658788557c68ab72b8 (patch)
tree: 2480effa3cde537ef3580e359f69278c16b7a019 /recovery.te
parent: 3508d611cc661730bdf0e706d2f1fd1814cd8c60 (diff)
download: android_external_sepolicy-c2ba5ed90876e7c3f105ed658788557c68ab72b8.tar.gz
android_external_sepolicy-c2ba5ed90876e7c3f105ed658788557c68ab72b8.tar.bz2
android_external_sepolicy-c2ba5ed90876e7c3f105ed658788557c68ab72b8.zip
1 files changed, 0 insertions, 1 deletions
diff --git a/recovery.te b/recovery.te
index 282ed3e..9c59003 100644
--- a/recovery.te
+++ b/recovery.te
@@ -8,7 +8,6 @@ type recovery, domain;
 # Otherwise recovery is only allowed the domain rules.
 recovery_only(`
   allow recovery rootfs:file { entrypoint execute };
-  permissive_or_unconfined(recovery)
 
   allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
author	Nick Kralevich <nnk@google.com>	2014-06-26 16:30:10 -0700
committer	Nick Kralevich <nnk@google.com>	2014-07-07 22:05:28 +0000
commit	c2ba5ed90876e7c3f105ed658788557c68ab72b8 (patch)
tree	2480effa3cde537ef3580e359f69278c16b7a019 /recovery.te
parent	3508d611cc661730bdf0e706d2f1fd1814cd8c60 (diff)
download	android_external_sepolicy-c2ba5ed90876e7c3f105ed658788557c68ab72b8.tar.gz android_external_sepolicy-c2ba5ed90876e7c3f105ed658788557c68ab72b8.tar.bz2 android_external_sepolicy-c2ba5ed90876e7c3f105ed658788557c68ab72b8.zip