Explictly allow init and kernel unlabeled access.
These permissions are already allowed indirectly via unconfineddomain
and via domain, but ultimately we plan to remove them from those two
attributes. Explicitly allow the ones we expect to be required,
matching the complement of the auditallow rules in domain.te.
Change-Id: I43edca89d59c159b97d49932239f8952a848031c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/init.te b/init.te
index 5cb9471..5397a82 100644
--- a/init.te
+++ b/init.te
@@ -19,6 +19,10 @@
# we just allow all file types except /system files here.
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
+# Unlabeled file access for upgrades from 4.2.
+allow init unlabeled:dir { create_dir_perms relabelfrom };
+allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+
# Reload policy upon setprop selinux.reload_policy 1.
allow init kernel:security load_policy;
diff --git a/kernel.te b/kernel.te
index 96b5740..1faa9db 100644
--- a/kernel.te
+++ b/kernel.te
@@ -8,6 +8,9 @@
# The kernel is unconfined.
unconfined_domain(kernel)
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
# init direct restorecon calls prior to switching to init domain
# /dev and /dev/socket
allow kernel { device socket_device }:dir relabelto;