Fix neverallow rules to eliminate CTS SELinuxTest warnings.

Fix two neverallow rules that yield Invalid SELinux context warnings from the CTS SELinuxTest. For transitions from app domains, we only need to check { domain -appdomain } (i.e. domains other than app domains), not ~appdomain (i.e. all types other than app domains). Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing since the target class is process, and such contexts are invalid. For keeping file_type and fs_type exclusive, we only need to check associate permission, not all filesystem permissions, as only associate takes a file type as the source context. Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing filesystem permissions other than associate, since the source of such checks is normally a process context. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit 21ada26d) Change-Id: I3346584da9b89f352864dcc30dde06d6bf42e98e

Fix neverallow rules to eliminate CTS SELinuxTest warnings.
Fix two neverallow rules that yield Invalid SELinux context warnings from the CTS SELinuxTest. For transitions from app domains, we only need to check { domain -appdomain } (i.e. domains other than app domains), not ~appdomain (i.e. all types other than app domains). Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing since the target class is process, and such contexts are invalid. For keeping file_type and fs_type exclusive, we only need to check associate permission, not all filesystem permissions, as only associate takes a file type as the source context. Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing filesystem permissions other than associate, since the source of such checks is normally a process context. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit 21ada26d) Change-Id: I3346584da9b89f352864dcc30dde06d6bf42e98e
d990a78f · Stephen Smalley · Nick Kralevich · 770910bb · d990a78f · d990a78f
Commit d990a78f authored 10 years ago by Stephen Smalley Committed by Nick Kralevich 10 years ago
--- a/app.te
+++ b/app.te
@@ -255,7 +255,7 @@ neverallow appdomain { domain -appdomain }:process

 # Transition to a non-app domain.
 # Exception for the shell domain, can transition to runas, etc.
-neverallow { appdomain -shell } ~appdomain:process
+neverallow { appdomain -shell } { domain -appdomain }:process
    { transition dyntransition };

 # Write to rootfs.

--- a/file.te
+++ b/file.te
@@ -167,4 +167,4 @@ allow dev_type tmpfs:filesystem associate;
 #   type apk_data_file, file_type, data_file_type, fs_type;
 # Should be:
 #   type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem *;
+neverallow fs_type file_type:filesystem associate;