init: avoid lengthy allow rules

Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>

init: avoid lengthy allow rules
Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
cf0d7f66 · William Roberts · fc9e8e25 · cf0d7f66
Commit cf0d7f66 authored 9 years ago by William Roberts
--- a/init.te
+++ b/init.te
@@ -98,11 +98,58 @@ allow init rootfs:{ dir file } relabelfrom;
 # init.<board>.rc files often include device-specific types, so
 # we just allow all file types except /system files here.
 allow init self:capability { chown fowner fsetid };
-allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
-allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:dir { write add_name remove_name rmdir relabelfrom };
+allow init {
-allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
+  file_type
-allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+  -system_file
-allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:lnk_file { create getattr setattr relabelfrom unlink };
+  -exec_type
+  -app_data_file
+}:dir { create search getattr open read setattr ioctl };
+allow init {
+  file_type
+  -system_file
+  -exec_type
+  -keystore_data_file
+  -app_data_file
+  -shell_data_file
+  -vold_data_file
+  -misc_logd_file
+}:dir { write add_name remove_name rmdir relabelfrom };
+allow init {
+  file_type
+  -system_file
+  -exec_type
+  -keystore_data_file
+  -app_data_file
+  -shell_data_file
+  -vold_data_file
+  -misc_logd_file
+}:file { create getattr open read write setattr relabelfrom unlink };
+allow init {
+  file_type
+  -system_file
+  -exec_type
+  -keystore_data_file
+  -app_data_file
+  -shell_data_file
+  -vold_data_file
+  -misc_logd_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+allow init {
+  file_type
+  -system_file
+  -exec_type
+  -keystore_data_file
+  -app_data_file
+  -shell_data_file
+  -vold_data_file
+  -misc_logd_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;