Improve sepolicy labeling and domain confinement.
* Move certain services out of inits domain.
inits domain is unconfined and we should
be limiting those services that need to
run in inits context. For the new domains
introduced, keep them permissive and unconfined
for now until future policy work will individually
drop these constraints.
* Add context option to fstab when mounting
the firmware partition. This will ensure
proper labeling and not use the default vfat
label of sdcard_external.
* Use concatenation versus assignment when making
policy declarations inside BoardConfig.mk. This
will allow sepolicy to exist in the vendor
directory.
Change-Id: I93c7413bf2a8ceb7589f059e754c4b2a787fdbaf
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
diff --git a/sepolicy/bridge.te b/sepolicy/bridge.te
new file mode 100644
index 0000000..40ef355
--- /dev/null
+++ b/sepolicy/bridge.te
@@ -0,0 +1,9 @@
+# Bridge Manager (radio process)
+type bridge, domain;
+type bridge_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(bridge)
+
+permissive bridge;
+unconfined_domain(bridge)