From 4c6f1ce8eede62acbaaa02e9fa72b3f218660b8c Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 2 Feb 2012 13:28:44 -0500
Subject: [PATCH] Allow Settings to set enforcing and booleans if
 settings_manage_selinux is true.

---
 system.te |  9 +++++++++
 te_macros | 18 ++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/system.te b/system.te
index cba07e326..ef0d12e5a 100644
--- a/system.te
+++ b/system.te
@@ -24,6 +24,15 @@ unix_socket_connect(system_app, keystore, keystore)
 # Read SELinux enforcing status.
 selinux_getenforce(system_app)
 
+bool settings_manage_selinux true;
+if (settings_manage_selinux) {
+# Allow settings app to set SELinux to enforcing
+selinux_setenforce(system_app)
+
+# Allow settings app to set SELinux booleans
+selinux_setbool(system_app)
+}
+
 #
 # System Server aka system_server spawned by zygote.
 # Most of the framework services run in this process.
diff --git a/te_macros b/te_macros
index 4afc777b0..75f294c00 100644
--- a/te_macros
+++ b/te_macros
@@ -208,3 +208,21 @@ define(`selinux_getenforce', `
 allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file r_file_perms;
 ')
+
+#####################################
+# selinux_setenforce(domain)
+# Allow domain to set SELinux to enforcing.
+define(`selinux_setenforce', `
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file rw_file_perms;
+allow $1 kernel:security setenforce;
+')
+
+#####################################
+# selinux_setbool(domain)
+# Allow domain to set SELinux booleans.
+define(`selinux_setbool', `
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file rw_file_perms;
+allow $1 kernel:security setbool;
+')
-- 
GitLab