Relax neverallow rule for loading an updated SELinux policy.
Revert the neverallow change portion of
356df32778732aa576e15071bf2736fbbd778b77, in case others need to
do dynamic policy updates.
(cherrypicked from commit e827a8ab27020be0f266a5a6083b11308fe1a349)
Bug: 22885422
Bug: 8949824
Change-Id: If0745e7f83523377fd19082cfc6b33ef47ca0647
diff --git a/domain.te b/domain.te
index 2af36e8..e7e0d7d 100644
--- a/domain.te
+++ b/domain.te
@@ -209,10 +209,11 @@
# Only recovery needs mac_admin to set contexts not defined in current policy.
neverallow { domain -recovery } self:capability2 mac_admin;
-# Nobody should be able to load a new SELinux policy.
+# Only init should be able to load SELinux policies.
# The first load technically occurs while still in the kernel domain,
# but this does not trigger a denial since there is no policy yet.
-neverallow domain kernel:security load_policy;
+# Policy reload requires allowing this to the init domain.
+neverallow { domain -init } kernel:security load_policy;
# Only init and the system_server can set selinux.reload_policy 1
# to trigger a policy reload.
diff --git a/init.te b/init.te
index 4bf40f5..6b57098 100644
--- a/init.te
+++ b/init.te
@@ -122,6 +122,9 @@
allow init security_file:dir { create setattr };
# Reload policy upon setprop selinux.reload_policy 1.
+# Note: this requires the following allow rule
+# allow init kernel:security load_policy;
+# which can be configured on a device-by-device basis if needed.
r_dir_file(init, security_file)
# Any operation that can modify the kernel ring buffer, e.g. clear