diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2013-12-02 14:18:11 -0500 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2013-12-02 15:59:04 -0500 |
commit | d99e6d5fa135882bb51878a3c68ed3a2aebe7d04 (patch) | |
tree | 1c4cc818450c8a48b30cb267f3aeb7149c7a437d /shell.te | |
parent | 51ce2f00c5410574015ba751b6e03fbddf12c176 (diff) | |
download | android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.tar.gz android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.tar.bz2 android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.zip |
Restrict the ability to set SELinux enforcing mode to init.
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.
Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'shell.te')
-rw-r--r-- | shell.te | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -6,3 +6,6 @@ unconfined_domain(shell) # Run app_process. # XXX Split into its own domain? app_domain(shell) + +# shell is also permissive to permit setenforce. +permissive shell; |