Eliminate some duplicated rules.

As reported by sepolicy-analyze -D -P /path/to/sepolicy. No semantic difference reported by sediff between the policy before and after this change. Deduplication of selinuxfs read access resolved by taking the common rules to domain.te (and thereby getting rid of the selinux_getenforce macro altogether). Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Eliminate some duplicated rules.
As reported by sepolicy-analyze -D -P /path/to/sepolicy. No semantic difference reported by sediff between the policy before and after this change. Deduplication of selinuxfs read access resolved by taking the common rules to domain.te (and thereby getting rid of the selinux_getenforce macro altogether). Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
00b180df · Stephen Smalley · 43b9cfd3 · 00b180df · 00b180df · 00b180df
Commit 00b180df authored 10 years ago by Stephen Smalley
--- a/dhcp.te
+++ b/dhcp.te
@@ -15,7 +15,6 @@ allow dhcp system_file:file rx_file_perms;
 allow dhcp proc_net:file write;
 allow dhcp system_prop:property_service set ;
 unix_socket_connect(dhcp, property, init)
-allow dhcp owntty_device:chr_file rw_file_perms;
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
 allow dhcp dhcp_data_file:dir create_dir_perms;

--- a/domain.te
+++ b/domain.te
@@ -130,7 +130,8 @@ allow domain debugfs:dir r_dir_perms;
 allow domain debugfs:file w_file_perms;
 # Get SELinux enforcing status.
-selinux_getenforce(domain)
+allow domain selinuxfs:dir r_dir_perms;
+allow domain selinuxfs:file r_file_perms;
 # /data/security files
 allow domain security_file:dir { search getattr };

--- a/shell.te
+++ b/shell.te
@@ -25,7 +25,6 @@ allow shell shell_data_file:file rx_file_perms;
 # adb bugreport
 unix_socket_connect(shell, dumpstate, dumpstate)
-allow shell rootfs:dir r_dir_perms;
 allow shell devpts:chr_file rw_file_perms;
 allow shell tty_device:chr_file rw_file_perms;
 allow shell console_device:chr_file rw_file_perms;

--- a/system_server.te
+++ b/system_server.te
@@ -159,7 +159,6 @@ allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;
 allow system_server radio_device:chr_file r_file_perms;
 allow system_server tty_device:chr_file rw_file_perms;
-allow system_server urandom_device:chr_file rw_file_perms;
 allow system_server usbaccessory_device:chr_file rw_file_perms;
 allow system_server video_device:dir r_dir_perms;
 allow system_server video_device:chr_file rw_file_perms;

--- a/te_macros
+++ b/te_macros
@@ -187,7 +187,6 @@ allow $1 self:capability2 block_suspend;
 # selinux_check_access(domain)
 # Allow domain to check SELinux permissions via selinuxfs.
 define(`selinux_check_access', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security compute_av;
 allow $1 self:netlink_selinux_socket *;
@@ -197,24 +196,14 @@ allow $1 self:netlink_selinux_socket *;
 # selinux_check_context(domain)
 # Allow domain to check SELinux contexts via selinuxfs.
 define(`selinux_check_context', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security check_context;
 ')
-#####################################
-# selinux_getenforce(domain)
-# Allow domain to check whether SELinux is enforcing.
-define(`selinux_getenforce', `
-allow $1 selinuxfs:dir r_dir_perms;
-allow $1 selinuxfs:file r_file_perms;
-')
 #####################################
 # selinux_setenforce(domain)
 # Allow domain to set SELinux to enforcing.
 define(`selinux_setenforce', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security setenforce;
 ')
@@ -223,7 +212,6 @@ allow $1 kernel:security setenforce;
 # selinux_setbool(domain)
 # Allow domain to set SELinux booleans.
 define(`selinux_setbool', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security setbool;
 ')
@@ -235,11 +223,6 @@ allow $1 kernel:security setbool;
 define(`security_access_policy', `
 allow $1 security_file:dir r_dir_perms;
 allow $1 security_file:file r_file_perms;
-allow $1 security_file:lnk_file r_file_perms;
-allow $1 selinuxfs:dir r_dir_perms;
-allow $1 selinuxfs:file r_file_perms;
-allow $1 rootfs:dir r_dir_perms;
-allow $1 rootfs:file r_file_perms;
 ')
 #####################################

--- a/wpa.te
+++ b/wpa.te
@@ -15,7 +15,6 @@ allow wpa self:packet_socket create_socket_perms;
 allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)
-allow wpa random_device:chr_file r_file_perms;
 binder_use(wpa)
 binder_call(wpa, keystore)