From 08fffc5db640f999a604878317342a1473f63c95 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 13 Jan 2014 15:11:54 -0500 Subject: [PATCH] Revert "Revert "Strip file execute permissions from unconfined domains."" The recovery console now has its own domain and therefore we do not need to allow this for unconfined domains. This reverts commit 43ddc1069492ed3245a5c686ab5e0eabc618bf74. Change-Id: Id2d2c02ccf6ac38c48b07ab84b73348cd9c815fa --- unconfined.te | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/unconfined.te b/unconfined.te index 96fa4fcb4..44ba04676 100644 --- a/unconfined.te +++ b/unconfined.te @@ -29,9 +29,10 @@ allow unconfineddomain domain:ipc_class_set *; allow unconfineddomain domain:key *; allow unconfineddomain fs_type:filesystem *; allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto; -allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod relabelto}; -allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod relabelto}; -allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod relabelto}; +allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto}; +allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto}; +allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto}; +allow unconfineddomain { rootfs system_file exec_type }:file execute; allow unconfineddomain node_type:node *; allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind; allow unconfineddomain netif_type:netif *;