Clean up kernel, init, and recovery domains.

Narrow the relabelto rules to a more specific type set
for each domain.

Drop mount permissions from the kernel domain since mounting
occurs after switching to the init domain.  This was likely
a residual of when all processes were left in the kernel domain
on a recovery boot due to the missing setcon statement in the
recovery init.rc.

Be consistent with unlabeled filesystems (i.e. filesystems
without any matching fs_use or genfs_contexts entry) so
that we can also unmount them.

Add comments to note the reason for various rules.

Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

1 files changed, 4 insertions, 3 deletions

diff --git a/recovery.te b/recovery.te
index 811623e..669c1da 100644
--- a/recovery.te
+++ b/recovery.te
@@ -5,11 +5,12 @@ unconfined_domain(recovery)
 
 allow recovery self:capability2 mac_admin;
 
-allow recovery {dev_type -kmem_device}:dir_file_class_set relabelto;
-allow recovery {fs_type file_type}:dir_file_class_set relabelto;
-allow recovery unlabeled:filesystem mount;
+# Mount filesystems.
 allow recovery fs_type:filesystem *;
+allow recovery unlabeled:filesystem *;
 
+
+# Create and relabel files under /system.
 allow recovery exec_type:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };
 allow recovery system_file:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };