02dac03a8c
This was originally to limit the ability to relabel files to particular types given the ability of all domains to relabelfrom unlabeled files. Since the latter was removed by Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves any purpose. Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
30 lines
1.0 KiB
Plaintext
30 lines
1.0 KiB
Plaintext
# init switches to init domain (via init.rc).
|
|
type init, domain;
|
|
# init is unconfined.
|
|
unconfined_domain(init)
|
|
tmpfs_domain(init)
|
|
# add a rule to handle unlabelled mounts
|
|
allow init unlabeled:filesystem mount;
|
|
|
|
allow init self:capability { sys_rawio mknod };
|
|
|
|
allow init dev_type:blk_file rw_file_perms;
|
|
allow init fs_type:filesystem *;
|
|
allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
|
allow init kernel:security load_policy;
|
|
allow init usermodehelper:file rw_file_perms;
|
|
allow init proc_security:file rw_file_perms;
|
|
|
|
# Transitions to seclabel processes in init.rc
|
|
allow init adbd:process transition;
|
|
allow init healthd:process transition;
|
|
allow init recovery:process transition;
|
|
allow init shell:process transition;
|
|
allow init ueventd:process transition;
|
|
allow init watchdogd:process transition;
|
|
|
|
# Init creates keystore's directory on boot, and walks through
|
|
# the directory as part of a recursive restorecon.
|
|
allow init keystore_data_file:dir { open create read getattr setattr search };
|
|
allow init keystore_data_file:file { getattr };
|