domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88

commit: 0c9708b2af4ea345277a47ae7bc1ce890e90d2bc [log] [tgz]
author: Nick Kralevich <nnk@google.com> Wed Jul 10 14:46:05 2013 -0700
committer: Nick Kralevich <nnk@google.com> Wed Jul 10 18:54:45 2013 -0700
tree: 810c64b75d11d023ba06abe77eceaaf60d486f4d
parent: 4a13f7809b0db75f850e96dcd21e6550c4e1fa60 [diff] [blame]
diff --git a/te_macros b/te_macros
index 1c78c96..310612c 100644
--- a/te_macros
+++ b/te_macros

@@ -109,6 +109,13 @@
 ')
 
 #####################################
+# relabelto_domain(domain)
+# Allows this domain to use the relabelto permission
+define(`relabelto_domain', `
+typeattribute $1 relabeltodomain;
+')
+
+#####################################
 # platform_app_domain(domain)
 # Allow permissions specific to platform apps.
 define(`platform_app_domain', `
commit	0c9708b2af4ea345277a47ae7bc1ce890e90d2bc	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Wed Jul 10 14:46:05 2013 -0700
committer	Nick Kralevich <nnk@google.com>	Wed Jul 10 18:54:45 2013 -0700
tree	810c64b75d11d023ba06abe77eceaaf60d486f4d
parent	4a13f7809b0db75f850e96dcd21e6550c4e1fa60 [diff] [blame]