remove init_shell

This domain was originally intended to be a place to hold rules for all init.*.rc shell scripts. However, it's now recommended that every init service have it's own SELinux domain, and the use of init_shell is to be avoided. Delete init_shell. No policy is using it anymore, and it's causing confusion for people implementing device specific SELinux policy. Bug: 18062250 Change-Id: I7c90851784b233443642ea69722f3281fd457621

remove init_shell
This domain was originally intended to be a place to hold rules for all init.*.rc shell scripts. However, it's now recommended that every init service have it's own SELinux domain, and the use of init_shell is to be avoided. Delete init_shell. No policy is using it anymore, and it's causing confusion for people implementing device specific SELinux policy. Bug: 18062250 Change-Id: I7c90851784b233443642ea69722f3281fd457621
f37d6b57 · Nick Kralevich · 0d08d472 · 0d08d472
Commit f37d6b57 authored 10 years ago by Nick Kralevich
--- a/init_shell.te
+++ b/init_shell.te
-# Restricted domain for shell processes spawned by init.
-# Normally these are shell commands or scripts invoked via sh
-# from an init*.rc file.  No service should ever run in this domain.
-type init_shell, domain;
-domain_auto_trans(init, shell_exec, init_shell)
-permissive_or_unconfined(init_shell)
-
-# Run helpers from / or /system without changing domain.
-allow init_shell rootfs:file execute_no_trans;
-allow init_shell system_file:file execute_no_trans;