From ee6152844b9a1e551f9bd5f6c56449ab22be3a17 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 20 Jun 2014 14:03:20 -0400
Subject: [PATCH] Remove sdcard_type access from unconfineddomain.

Require sdcard_type access to be explicitly allowed to
each domain.  This is to both protect services from
being killed by unsafe ejection and to protect SDcard
data from access by rogue daemons.

Change-Id: If3bdd50fd2be50bd98d755b2f252e0ae455b82c4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 unconfined.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/unconfined.te b/unconfined.te
index ac2c3167a..cd49cf1eb 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -48,7 +48,7 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
 allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type -contextmount_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain {
     file_type
@@ -72,6 +72,7 @@ allow unconfineddomain {
     -proc_security
     -contextmount_type
     -rootfs
+    -sdcard_type
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {
-- 
GitLab