entrypoint should always be explicitly allowed.

Also rewrite to use positive permission sets, macros, and eliminate duplication. Change-Id: I4dc340784f770e569160025a5db2dc3da90d2629 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

entrypoint should always be explicitly allowed.
Also rewrite to use positive permission sets, macros, and eliminate duplication. Change-Id: I4dc340784f770e569160025a5db2dc3da90d2629 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
5622cca0 · Stephen Smalley · 43b9cfd3 · 5622cca0
Commit 5622cca0 authored 10 years ago by Stephen Smalley
--- a/unconfined.te
+++ b/unconfined.te
@@ -59,9 +59,12 @@ allow unconfineddomain {
    -security_file
    -shell_data_file
 }:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
+allow unconfineddomain exec_type:dir r_dir_perms;
-allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
+allow unconfineddomain exec_type:file { rx_file_perms execmod };
-allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
+allow unconfineddomain exec_type:lnk_file r_file_perms;
+allow unconfineddomain system_file:dir r_dir_perms;
+allow unconfineddomain system_file:file { rx_file_perms execmod };
+allow unconfineddomain system_file:lnk_file r_file_perms;
 allow unconfineddomain {
    fs_type
    -usermodehelper
@@ -78,7 +81,7 @@ allow unconfineddomain {
    -security_file
    -shell_data_file
 }:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain { rootfs system_file exec_type }:file execute;
+allow unconfineddomain rootfs:file execute;
 allow unconfineddomain contextmount_type:dir r_dir_perms;
 allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
 allow unconfineddomain node_type:node *;