From 3da1ffbad06bd0a9a98954fa0be229a8bd53ebec Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 30 Sep 2014 11:24:34 -0400
Subject: [PATCH] Remove block_device:blk_file access from fsck.

Now that we have assigned specific types to userdata and cache
block devices, we can remove the ability of fsck to run on other
block devices.

Change-Id: I8cfb3dc0e4ebe6b73346ff291ecb11397bb0c2d0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te | 2 +-
 fsck.te   | 4 ----
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/domain.te b/domain.te
index 86aeb07d8..fcb813af5 100644
--- a/domain.te
+++ b/domain.te
@@ -254,7 +254,7 @@ neverallow domain init:binder *;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery -fsck } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
diff --git a/fsck.te b/fsck.te
index dd696d51e..b4eb69884 100644
--- a/fsck.te
+++ b/fsck.te
@@ -13,10 +13,6 @@ allow fsck tmpfs:chr_file { read write ioctl };
 allow fsck devpts:chr_file { read write ioctl getattr };
 
 # Run e2fsck on block devices.
-# TODO:  Assign userdata and cache block device types to the corresponding
-# block devices in all device policies, and then remove access to
-# block_device:blk_file from here.
-allow fsck block_device:blk_file rw_file_perms;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 
-- 
GitLab