Remove block device access from unconfined domains. Only allow to domains as required and amend the existing neverallow on block_device:blk_file to replace the exemption for unconfineddomain with an explicit whitelist. The neverallow does not check other device types as specific ones may need to be writable by device-specific domains. Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 3f40d4f4b17a3a5eeac38a8150ab52e47a19ab3c [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Tue Feb 11 14:40:14 2014 -0500
committer: Stephen Smalley <sds@tycho.nsa.gov> Wed Feb 12 13:03:38 2014 -0500
tree: eb39bd38941732aa9d8b8b785ac9007445597204
parent: 5487ca00d4788de367a9d099714f6df4d86ef261 [diff] [blame]
diff --git a/init.te b/init.te
index efce6e7..c05faba 100644
--- a/init.te
+++ b/init.te

@@ -9,6 +9,7 @@
 
 allow init self:capability { sys_rawio mknod };
 
+allow init dev_type:blk_file rw_file_perms;
 allow init fs_type:filesystem *;
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security load_policy;
commit	3f40d4f4b17a3a5eeac38a8150ab52e47a19ab3c	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Tue Feb 11 14:40:14 2014 -0500
committer	Stephen Smalley <sds@tycho.nsa.gov>	Wed Feb 12 13:03:38 2014 -0500
tree	eb39bd38941732aa9d8b8b785ac9007445597204
parent	5487ca00d4788de367a9d099714f6df4d86ef261 [diff] [blame]