94 files changed, 987 insertions, 1322 deletions
diff --git a/common/sepolicy/imageserver.te b/common/sepolicy/imageserver.te index 2807189..4f68d0e 100644 --- a/common/sepolicy/imageserver.te +++ b/common/sepolicy/imageserver.te @@ -1,42 +1,44 @@ type imageserver, domain; -type imageserver_exec, exec_type, file_type; +type imageserver_exec, exec_type, vendor_file_type, file_type; typeattribute imageserver mlstrustedsubject; init_daemon_domain(imageserver) -allow imageserver shell_exec:file rx_file_perms; -allow imageserver system_file:file execute_no_trans; +allow imageserver vendor_file:file { execute }; -allow imageserver imageserver_service:service_manager add; +#allow imageserver shell_exec:file rx_file_perms; +#allow imageserver system_file:file execute_no_trans; -allow imageserver imageserver_exec:file { entrypoint read }; +#allow imageserver imageserver_service:service_manager add; -allow imageserver self:process execmem; +#allow imageserver imageserver_exec:file { entrypoint read }; -binder_use(imageserver); -binder_call(imageserver, binderservicedomain) -binder_call(imageserver, appdomain) -binder_service(imageserver) +#allow imageserver self:process execmem; -allow imageserver self:capability dac_override; -allow imageserver self:capability dac_read_search; +#binder_use(imageserver); +#binder_call(imageserver, binderservicedomain) +#binder_call(imageserver, appdomain) +#binder_service(imageserver) + +#allow imageserver self:capability dac_override; +#allow imageserver self:capability dac_read_search; #allow imageserver appdomain:file { r_file_perms }; -allow imageserver fuse:dir r_dir_perms; -allow imageserver fuse:file r_file_perms; -allow imageserver app_data_file:file rw_file_perms; +#allow imageserver fuse:dir r_dir_perms; +#allow imageserver fuse:file r_file_perms; +#allow imageserver app_data_file:file rw_file_perms; #allow imageserver system_file:file execmod; -allow imageserver app_data_file:dir search; +#allow imageserver app_data_file:dir search; -allow imageserver system_control_service:service_manager find; +#allow imageserver system_control_service:service_manager find; -allow imageserver { mnt_user_file storage_file }:dir { getattr search }; -allow imageserver { mnt_user_file storage_file }:lnk_file { getattr read }; -allow imageserver permission_service:service_manager find; +#allow imageserver { mnt_user_file storage_file }:dir { getattr search }; +#allow imageserver { mnt_user_file storage_file }:lnk_file { getattr read }; +#allow imageserver permission_service:service_manager find; -allow imageserver picture_device:chr_file { read write open ioctl }; -allow imageserver kernel:system module_request; +#allow imageserver picture_device:chr_file { read write open ioctl }; +#allow imageserver kernel:system module_request; -allow imageserver tmpfs:dir { getattr search }; +#allow imageserver tmpfs:dir { getattr search }; |