Remove unlabeled execute access from domain, add to appdomain. Otherwise all domains can create/write files that are executable by all other domains. If I understand correctly, this should only be necessary for app domains executing content from legacy unlabeled userdata partitions on existing devices and zygote and system_server mappings of dalvikcache files, so only allow it for those domains. If required for others, add it to the individual domain .te file, not for all domains. Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 959fdaaa25d7dbfad8a1900dfe9575f873cea649 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Thu Jan 09 08:28:06 2014 -0500
committer: Stephen Smalley <sds@tycho.nsa.gov> Thu Jan 09 18:30:16 2014 +0000
tree: 2bd1e5775b2c2371da4ead67e2a578f187f70a05
parent: c50bf17d4f4ae4615c9f189236f593db5ff21180 [diff] [blame]
diff --git a/system_server.te b/system_server.te
index 37d4cc6..22d739b 100644
--- a/system_server.te
+++ b/system_server.te

@@ -239,3 +239,8 @@
 
 # For SELinuxPolicyInstallReceiver
 selinux_manage_policy(system_server)
+
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
+allow system_server unlabeled:file execute;
commit	959fdaaa25d7dbfad8a1900dfe9575f873cea649	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Thu Jan 09 08:28:06 2014 -0500
committer	Stephen Smalley <sds@tycho.nsa.gov>	Thu Jan 09 18:30:16 2014 +0000
tree	2bd1e5775b2c2371da4ead67e2a578f187f70a05
parent	c50bf17d4f4ae4615c9f189236f593db5ff21180 [diff] [blame]