Add a domain for the recovery console. Define a domain for use by the recovery init.rc file for /sbin/recovery. Start with a copy of the kernel domain rules since that is what /sbin/recovery was previously running in, and then add rules as appropriate. Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 6d10ca8fb6b2938b4b45a7512e483420d892842a [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Mon Jan 13 09:45:45 2014 -0500
committer: Stephen Smalley <sds@tycho.nsa.gov> Mon Jan 13 10:44:51 2014 -0500
tree: 44e020a7fa72257a3ca3ba6ac1f1af975afe6efc
parent: 06a0d786210332c0bb2a46b59f1796b74a133ac0 [diff] [blame]
diff --git a/recovery.te b/recovery.te
new file mode 100644
index 0000000..a52b2b5
--- /dev/null
+++ b/recovery.te

@@ -0,0 +1,11 @@
+# recovery console (used in recovery init.rc for /sbin/recovery)
+type recovery, domain;
+allow recovery rootfs:file entrypoint;
+unconfined_domain(recovery)
+relabelto_domain(recovery)
+
+allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
+allow recovery unlabeled:filesystem mount;
+
+allow recovery self:process execmem;
+allow recovery cache_file:file rx_file_perms;
commit	6d10ca8fb6b2938b4b45a7512e483420d892842a	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Mon Jan 13 09:45:45 2014 -0500
committer	Stephen Smalley <sds@tycho.nsa.gov>	Mon Jan 13 10:44:51 2014 -0500
tree	44e020a7fa72257a3ca3ba6ac1f1af975afe6efc
parent	06a0d786210332c0bb2a46b59f1796b74a133ac0 [diff] [blame]