Skip to content
Snippets Groups Projects
Commit 00b180df authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Eliminate some duplicated rules.


As reported by sepolicy-analyze -D -P /path/to/sepolicy.
No semantic difference reported by sediff between the policy
before and after this change.

Deduplication of selinuxfs read access resolved by taking the
common rules to domain.te (and thereby getting rid of the
selinux_getenforce macro altogether).

Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent 43b9cfd3
No related branches found
No related tags found
No related merge requests found
...@@ -15,7 +15,6 @@ allow dhcp system_file:file rx_file_perms; ...@@ -15,7 +15,6 @@ allow dhcp system_file:file rx_file_perms;
allow dhcp proc_net:file write; allow dhcp proc_net:file write;
allow dhcp system_prop:property_service set ; allow dhcp system_prop:property_service set ;
unix_socket_connect(dhcp, property, init) unix_socket_connect(dhcp, property, init)
allow dhcp owntty_device:chr_file rw_file_perms;
type_transition dhcp system_data_file:{ dir file } dhcp_data_file; type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
allow dhcp dhcp_data_file:dir create_dir_perms; allow dhcp dhcp_data_file:dir create_dir_perms;
......
...@@ -130,7 +130,8 @@ allow domain debugfs:dir r_dir_perms; ...@@ -130,7 +130,8 @@ allow domain debugfs:dir r_dir_perms;
allow domain debugfs:file w_file_perms; allow domain debugfs:file w_file_perms;
# Get SELinux enforcing status. # Get SELinux enforcing status.
selinux_getenforce(domain) allow domain selinuxfs:dir r_dir_perms;
allow domain selinuxfs:file r_file_perms;
# /data/security files # /data/security files
allow domain security_file:dir { search getattr }; allow domain security_file:dir { search getattr };
......
...@@ -25,7 +25,6 @@ allow shell shell_data_file:file rx_file_perms; ...@@ -25,7 +25,6 @@ allow shell shell_data_file:file rx_file_perms;
# adb bugreport # adb bugreport
unix_socket_connect(shell, dumpstate, dumpstate) unix_socket_connect(shell, dumpstate, dumpstate)
allow shell rootfs:dir r_dir_perms;
allow shell devpts:chr_file rw_file_perms; allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms; allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms; allow shell console_device:chr_file rw_file_perms;
......
...@@ -159,7 +159,6 @@ allow system_server input_device:dir r_dir_perms; ...@@ -159,7 +159,6 @@ allow system_server input_device:dir r_dir_perms;
allow system_server input_device:chr_file rw_file_perms; allow system_server input_device:chr_file rw_file_perms;
allow system_server radio_device:chr_file r_file_perms; allow system_server radio_device:chr_file r_file_perms;
allow system_server tty_device:chr_file rw_file_perms; allow system_server tty_device:chr_file rw_file_perms;
allow system_server urandom_device:chr_file rw_file_perms;
allow system_server usbaccessory_device:chr_file rw_file_perms; allow system_server usbaccessory_device:chr_file rw_file_perms;
allow system_server video_device:dir r_dir_perms; allow system_server video_device:dir r_dir_perms;
allow system_server video_device:chr_file rw_file_perms; allow system_server video_device:chr_file rw_file_perms;
......
...@@ -187,7 +187,6 @@ allow $1 self:capability2 block_suspend; ...@@ -187,7 +187,6 @@ allow $1 self:capability2 block_suspend;
# selinux_check_access(domain) # selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs. # Allow domain to check SELinux permissions via selinuxfs.
define(`selinux_check_access', ` define(`selinux_check_access', `
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file rw_file_perms; allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security compute_av; allow $1 kernel:security compute_av;
allow $1 self:netlink_selinux_socket *; allow $1 self:netlink_selinux_socket *;
...@@ -197,24 +196,14 @@ allow $1 self:netlink_selinux_socket *; ...@@ -197,24 +196,14 @@ allow $1 self:netlink_selinux_socket *;
# selinux_check_context(domain) # selinux_check_context(domain)
# Allow domain to check SELinux contexts via selinuxfs. # Allow domain to check SELinux contexts via selinuxfs.
define(`selinux_check_context', ` define(`selinux_check_context', `
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file rw_file_perms; allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security check_context; allow $1 kernel:security check_context;
') ')
#####################################
# selinux_getenforce(domain)
# Allow domain to check whether SELinux is enforcing.
define(`selinux_getenforce', `
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file r_file_perms;
')
##################################### #####################################
# selinux_setenforce(domain) # selinux_setenforce(domain)
# Allow domain to set SELinux to enforcing. # Allow domain to set SELinux to enforcing.
define(`selinux_setenforce', ` define(`selinux_setenforce', `
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file rw_file_perms; allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security setenforce; allow $1 kernel:security setenforce;
') ')
...@@ -223,7 +212,6 @@ allow $1 kernel:security setenforce; ...@@ -223,7 +212,6 @@ allow $1 kernel:security setenforce;
# selinux_setbool(domain) # selinux_setbool(domain)
# Allow domain to set SELinux booleans. # Allow domain to set SELinux booleans.
define(`selinux_setbool', ` define(`selinux_setbool', `
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file rw_file_perms; allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security setbool; allow $1 kernel:security setbool;
') ')
...@@ -235,11 +223,6 @@ allow $1 kernel:security setbool; ...@@ -235,11 +223,6 @@ allow $1 kernel:security setbool;
define(`security_access_policy', ` define(`security_access_policy', `
allow $1 security_file:dir r_dir_perms; allow $1 security_file:dir r_dir_perms;
allow $1 security_file:file r_file_perms; allow $1 security_file:file r_file_perms;
allow $1 security_file:lnk_file r_file_perms;
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file r_file_perms;
allow $1 rootfs:dir r_dir_perms;
allow $1 rootfs:file r_file_perms;
') ')
##################################### #####################################
......
...@@ -15,7 +15,6 @@ allow wpa self:packet_socket create_socket_perms; ...@@ -15,7 +15,6 @@ allow wpa self:packet_socket create_socket_perms;
allow wpa wifi_data_file:dir create_dir_perms; allow wpa wifi_data_file:dir create_dir_perms;
allow wpa wifi_data_file:file create_file_perms; allow wpa wifi_data_file:file create_file_perms;
unix_socket_send(wpa, system_wpa, system_server) unix_socket_send(wpa, system_wpa, system_server)
allow wpa random_device:chr_file r_file_perms;
binder_use(wpa) binder_use(wpa)
binder_call(wpa, keystore) binder_call(wpa, keystore)
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment