Merge "recovery: enable permissive_or_unconfined"

commit: 3957ae733f1066efa5d0ae2b03604c0b11549430 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Mon Jun 02 17:44:31 2014 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Jun 02 17:44:31 2014 +0000
tree: 85413cb00ee731bc9ff95f5b999fd9c12ea80564
parent: 715023eba196cb5dd226df89181c17d9e0c6936f [diff]
parent: 4203981e8b0c741057268b6a633fe9e84b31ebd6 [diff]
diff --git a/unconfined.te b/unconfined.te
index 7c7fa4d..123d16f 100644
--- a/unconfined.te
+++ b/unconfined.te

@@ -20,7 +20,27 @@
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
 allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
-allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition setexec setfscreate setcurrent setkeycreate setsockcreate };
+allow unconfineddomain domain:process {
+    fork
+    sigchld
+    sigkill
+    sigstop
+    signull
+    signal
+    getsched
+    setsched
+    getsession
+    getpgid
+    setpgid
+    getcap
+    setcap
+    share
+    getattr
+    noatsecure
+    siginh
+    setrlimit
+    rlimitinh
+};
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;
commit	3957ae733f1066efa5d0ae2b03604c0b11549430	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Mon Jun 02 17:44:31 2014 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Mon Jun 02 17:44:31 2014 +0000
tree	85413cb00ee731bc9ff95f5b999fd9c12ea80564
parent	715023eba196cb5dd226df89181c17d9e0c6936f [diff]
parent	4203981e8b0c741057268b6a633fe9e84b31ebd6 [diff]