recovery: start enforcing SELinux rules

Start enforcing SELinux rules for recovery. I've been monitoring denials, and I haven't seen anything which would indicate a problem. We can always roll this back if something goes wrong. Change-Id: I7d3a147f8b9000bf8181d2aa32520f15f291a6f3

recovery: start enforcing SELinux rules
Start enforcing SELinux rules for recovery. I've been monitoring denials, and I haven't seen anything which would indicate a problem. We can always roll this back if something goes wrong. Change-Id: I7d3a147f8b9000bf8181d2aa32520f15f291a6f3
c2ba5ed9 · Nick Kralevich · 3508d611 · c2ba5ed9
Commit c2ba5ed9 authored 10 years ago by Nick Kralevich
--- a/recovery.te
+++ b/recovery.te
@@ -8,7 +8,6 @@ type recovery, domain;
 # Otherwise recovery is only allowed the domain rules.
 recovery_only(`
  allow recovery rootfs:file { entrypoint execute };
-  permissive_or_unconfined(recovery)

  allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };