recovery: start enforcing SELinux rules
Start enforcing SELinux rules for recovery. I've been monitoring
denials, and I haven't seen anything which would indicate a problem.
We can always roll this back if something goes wrong.
Change-Id: I7d3a147f8b9000bf8181d2aa32520f15f291a6f3
diff --git a/recovery.te b/recovery.te
index 282ed3e..9c59003 100644
--- a/recovery.te
+++ b/recovery.te
@@ -8,7 +8,6 @@
# Otherwise recovery is only allowed the domain rules.
recovery_only(`
allow recovery rootfs:file { entrypoint execute };
- permissive_or_unconfined(recovery)
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };