Fix neverallow rules to eliminate CTS SELinuxTest warnings.
Fix two neverallow rules that yield Invalid SELinux context
warnings from the CTS SELinuxTest.
For transitions from app domains, we only need to check
{ domain -appdomain } (i.e. domains other than app domains),
not ~appdomain (i.e. all types other than app domains). Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing since the target class is process,
and such contexts are invalid.
For keeping file_type and fs_type exclusive, we only need to
check associate permission, not all filesystem permissions, as
only associate takes a file type as the source context. Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing filesystem permissions other than
associate, since the source of such checks is normally a process
context.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit 21ada26daea538397029396099dce865267bae2f)
Change-Id: I3346584da9b89f352864dcc30dde06d6bf42e98e
diff --git a/app.te b/app.te
index 8288ea0..e242152 100644
--- a/app.te
+++ b/app.te
@@ -255,7 +255,7 @@
# Transition to a non-app domain.
# Exception for the shell domain, can transition to runas, etc.
-neverallow { appdomain -shell } ~appdomain:process
+neverallow { appdomain -shell } { domain -appdomain }:process
{ transition dyntransition };
# Write to rootfs.
diff --git a/file.te b/file.te
index 99c3839..7df06d3 100644
--- a/file.te
+++ b/file.te
@@ -167,4 +167,4 @@
# type apk_data_file, file_type, data_file_type, fs_type;
# Should be:
# type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem *;
+neverallow fs_type file_type:filesystem associate;