Deduplicate neverallow rules on selinuxfs operations.
We already have neverallow rules for all domains about
loading policy, setting enforcing mode, and setting
checkreqprot, so we can drop redundant ones from netd and appdomain.
Add neverallow rules to domain.te for setbool and setsecparam
and exclude them from unconfined to allow fully eliminating
separate neverallow rules on the :security class from anything
other than domain.te.
Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/app.te b/app.te
index 2589f66..3081f53 100644
--- a/app.te
+++ b/app.te
@@ -191,13 +191,6 @@
{ read write };
neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };
-# Set SELinux enforcing mode, booleans or any other SELinux settings.
-neverallow { appdomain -unconfineddomain } kernel:security
- { setenforce setbool setsecparam setcheckreqprot };
-
-# Load security policy.
-neverallow appdomain kernel:security load_policy;
-
# Privileged netlink socket interfaces.
neverallow { appdomain -unconfineddomain }
self:{
diff --git a/domain.te b/domain.te
index e856288..c329245 100644
--- a/domain.te
+++ b/domain.te
@@ -183,6 +183,14 @@
# switching domains, there is never any need to setenforce again by init.
neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
+# No booleans in AOSP policy, so no need to ever set them.
+neverallow domain kernel:security setbool;
+
+# Adjusting the AVC cache threshold.
+# Not presently allowed to anything in policy, but possibly something
+# that could be set from init.rc.
+neverallow { domain -init } kernel:security setsecparam;
+
# Only init, ueventd and system_server should be able to access HW RNG
neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
diff --git a/netd.te b/netd.te
index 19fcad2..5020898 100644
--- a/netd.te
+++ b/netd.te
@@ -68,12 +68,6 @@
# Block device access.
neverallow netd dev_type:blk_file { read write };
-# Setting SELinux enforcing status or booleans.
-neverallow netd kernel:security { setenforce setbool };
-
-# Load security policy.
-neverallow netd kernel:security load_policy;
-
# ptrace any other app
neverallow netd { domain }:process ptrace;
diff --git a/unconfined.te b/unconfined.te
index 80d42b3..c3355c7 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -18,7 +18,7 @@
allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
-allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
+allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
allow unconfineddomain kernel:system *;
allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
allow unconfineddomain domain:fd *;