94 files changed, 987 insertions, 1322 deletions

diff --git a/common/sepolicy/imageserver.te b/common/sepolicy/imageserver.te
index 2807189..4f68d0e 100644
--- a/common/sepolicy/imageserver.te
+++ b/common/sepolicy/imageserver.te
@@ -1,42 +1,44 @@
 type imageserver, domain;
-type imageserver_exec, exec_type, file_type;
+type imageserver_exec, exec_type, vendor_file_type, file_type;
 
 typeattribute imageserver mlstrustedsubject;
 
 init_daemon_domain(imageserver)
 
-allow imageserver shell_exec:file rx_file_perms;
-allow imageserver system_file:file execute_no_trans;
+allow imageserver vendor_file:file { execute };
 
-allow imageserver imageserver_service:service_manager add;
+#allow imageserver shell_exec:file rx_file_perms;
+#allow imageserver system_file:file execute_no_trans;
 
-allow imageserver imageserver_exec:file { entrypoint read };
+#allow imageserver imageserver_service:service_manager add;
 
-allow imageserver self:process execmem;
+#allow imageserver imageserver_exec:file { entrypoint read };
 
-binder_use(imageserver);
-binder_call(imageserver, binderservicedomain)
-binder_call(imageserver, appdomain)
-binder_service(imageserver)
+#allow imageserver self:process execmem;
 
-allow imageserver self:capability dac_override;
-allow imageserver self:capability dac_read_search;
+#binder_use(imageserver);
+#binder_call(imageserver, binderservicedomain)
+#binder_call(imageserver, appdomain)
+#binder_service(imageserver)
+
+#allow imageserver self:capability dac_override;
+#allow imageserver self:capability dac_read_search;
 
 #allow imageserver appdomain:file { r_file_perms };
-allow imageserver fuse:dir r_dir_perms;
-allow imageserver fuse:file r_file_perms;
-allow imageserver app_data_file:file rw_file_perms;
+#allow imageserver fuse:dir r_dir_perms;
+#allow imageserver fuse:file r_file_perms;
+#allow imageserver app_data_file:file rw_file_perms;
 #allow imageserver system_file:file execmod;
 
-allow imageserver app_data_file:dir search;
+#allow imageserver app_data_file:dir search;
 
-allow imageserver system_control_service:service_manager find;
+#allow imageserver system_control_service:service_manager find;
 
-allow imageserver { mnt_user_file storage_file }:dir { getattr search };
-allow imageserver { mnt_user_file storage_file }:lnk_file { getattr read };
-allow imageserver permission_service:service_manager find;
+#allow imageserver { mnt_user_file storage_file }:dir { getattr search };
+#allow imageserver { mnt_user_file storage_file }:lnk_file { getattr read };
+#allow imageserver permission_service:service_manager find;
 
-allow imageserver picture_device:chr_file { read write open ioctl };
-allow imageserver kernel:system module_request;
+#allow imageserver picture_device:chr_file { read write open ioctl };
+#allow imageserver kernel:system module_request;
 
-allow imageserver tmpfs:dir { getattr search };
+#allow imageserver tmpfs:dir { getattr search };