commit 2c8bf56f9698923641a0628bae37fe9b2033c0bb
author Stephen Smalley <sds@tycho.nsa.gov> Fri May 30 09:42:01 2014 -0400
committer Stephen Smalley <sds@tycho.nsa.gov> Fri May 30 09:42:01 2014 -0400
tree c9f1b9d39e34eda0038fc366fc30ce3456564eac
parent f85c1fc293523db241c48d815b165067b8a0f471

Only auditallow unlabeled accesses not allowed elsewhere.

https://android-review.googlesource.com/#/c/95900/ added further
unlabeled rules for installd and added explicit unlabeled rules for
vold and system_server.  Exclude these permissions from the auditallow
rules on unlabeled so that we only see the ones that would be denied if
we were to remove the allow domain rules here.

Change-Id: I2b9349ad6606bcb6a74a7e67343a8a9e5d70174c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

domain.te

diff --git a/domain.te b/domain.te
index e277972..5464d86 100644
--- a/domain.te
+++ b/domain.te
@@ -150,11 +150,18 @@
 #
 allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
-auditallow { domain -init -installd } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-auditallow { domain -init -kernel -installd } unlabeled:dir { create_dir_perms relabelfrom };
+auditallow { domain -init -installd -vold -system_server } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+auditallow { domain -init -kernel -installd -vold -system_server } unlabeled:dir { create_dir_perms relabelfrom };
 auditallow kernel unlabeled:dir ~search;
-auditallow installd unlabeled:dir ~{ getattr search relabelfrom };
-auditallow installd unlabeled:notdevfile_class_set ~{ getattr relabelfrom };
+auditallow installd unlabeled:dir ~{ getattr search relabelfrom rw_dir_perms rmdir };
+auditallow installd unlabeled:file ~{ r_file_perms getattr relabelfrom rename unlink setattr };
+auditallow installd unlabeled:{ lnk_file sock_file fifo_file } ~{ getattr relabelfrom rename unlink setattr };
+auditallow vold unlabeled:dir ~{ r_dir_perms setattr relabelfrom };
+auditallow vold unlabeled:file ~{ r_file_perms setattr relabelfrom };
+auditallow vold unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
+auditallow system_server unlabeled:dir ~r_dir_perms;
+auditallow system_server unlabeled:file ~r_file_perms;
+auditallow system_server unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
 
 ###
 ### neverallow rules