Move allow rules before neverallow rules.

There were a few instances where allow rules were appended after the neverallow rules stanza in the .te file. Also there were some regular allow rules inserted into the CTS-specific rules section of app.te. Just move the rules as appropriate. Should be no change in policy. Change-Id: Iec76f32d4b531d245bbf5dd9f621a71ff5c71f3e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Move allow rules before neverallow rules.
There were a few instances where allow rules were appended after the neverallow rules stanza in the .te file. Also there were some regular allow rules inserted into the CTS-specific rules section of app.te. Just move the rules as appropriate. Should be no change in policy. Change-Id: Iec76f32d4b531d245bbf5dd9f621a71ff5c71f3e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
b8caf7fd · Stephen Smalley · 0233cd80 · b8caf7fd · b8caf7fd · b8caf7fd
Commit b8caf7fd authored 10 years ago by Stephen Smalley
--- a/app.te
+++ b/app.te
@@ -155,6 +155,16 @@ allow appdomain apk_data_file:file { rx_file_perms execmod };
 allow appdomain resourcecache_data_file:file r_file_perms;
 allow appdomain resourcecache_data_file:dir r_dir_perms;

+# logd access
+read_logd(appdomain)
+control_logd(appdomain)
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
+
+use_keystore({ appdomain -isolated_app })
+
 ###
 ### CTS-specific rules
 ###
@@ -171,16 +181,6 @@ selinux_check_context(appdomain)
 # Validate that each process is running in the correct security context.
 allow appdomain domain:process getattr;

-# logd access
-read_logd(appdomain)
-control_logd(appdomain)
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
-
-use_keystore({ appdomain -isolated_app })
-
 ###
 ### Neverallow rules
 ###

--- a/keystore.te
+++ b/keystore.te
@@ -12,6 +12,11 @@ allow keystore keystore_exec:file { getattr };
 allow keystore tee_device:chr_file rw_file_perms;
 allow keystore tee:unix_stream_socket connectto;

+allow keystore keystore_service:service_manager { add find };
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
+
 ###
 ### Neverallow rules
 ###
@@ -25,8 +30,3 @@ neverallow { domain -keystore -init } keystore_data_file:dir *;
 neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;

 neverallow domain keystore:process ptrace;
-
-allow keystore keystore_service:service_manager { add find };
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -138,6 +138,10 @@ auditallow untrusted_app {
    -wifip2p_service
 }:service_manager find;

+# Allow verifier to access staged apks.
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+
 ###
 ### neverallow rules
 ###
@@ -162,7 +166,3 @@ neverallow untrusted_app service_manager_type:service_manager add;
 neverallow untrusted_app property_socket:sock_file write;
 neverallow untrusted_app init:unix_stream_socket connectto;
 neverallow untrusted_app property_type:property_service set;
-
-# Allow verifier to access staged apks.
-allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
-allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;