Restrict the ability to set SELinux enforcing mode to init.

Also make su and shell permissive in non-user builds to allow use of setenforce without violating the neverallow rule. Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-02 14:18:11 -0500
committer: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-02 15:59:04 -0500
commit: d99e6d5fa135882bb51878a3c68ed3a2aebe7d04 (patch)
tree: 1c4cc818450c8a48b30cb267f3aeb7149c7a437d /shell.te
parent: 51ce2f00c5410574015ba751b6e03fbddf12c176 (diff)
download: android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.tar.gz
android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.tar.bz2
android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/shell.te b/shell.te
index 8b51003..032f70f 100644
--- a/shell.te
+++ b/shell.te
@@ -6,3 +6,6 @@ unconfined_domain(shell)
 # Run app_process.
 # XXX Split into its own domain?
 app_domain(shell)
+
+# shell is also permissive to permit setenforce.
+permissive shell;
author	Stephen Smalley <sds@tycho.nsa.gov>	2013-12-02 14:18:11 -0500
committer	Stephen Smalley <sds@tycho.nsa.gov>	2013-12-02 15:59:04 -0500
commit	d99e6d5fa135882bb51878a3c68ed3a2aebe7d04 (patch)
tree	1c4cc818450c8a48b30cb267f3aeb7149c7a437d /shell.te
parent	51ce2f00c5410574015ba751b6e03fbddf12c176 (diff)
download	android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.tar.gz android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.tar.bz2 android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.zip