commit 965f2ff1b4804a91b3537a3799814dc54ed478f8
author Stephen Smalley <sds@tycho.nsa.gov> Thu Jun 14 12:33:38 2012 -0400
committer Stephen Smalley <sds@tycho.nsa.gov> Thu Jun 28 13:59:07 2012 -0400
tree 68685722cd5ffd1e8360c97702924828b4595a62
parent 03d2803c542cbae539dba785153e58d81c503bf3

Allow system_app to set MAC enforcing mode and read MAC denials.

system.te

diff --git a/system.te b/system.te
index 97a395c..1457c79 100644
--- a/system.te
+++ b/system.te
@@ -27,17 +27,29 @@
 # Read SELinux enforcing status.
 selinux_getenforce(system_app)
 
-bool settings_manage_selinux true;
-if (settings_manage_selinux) {
-# Allow settings app to set SELinux to enforcing
+bool manage_selinux true;
+if (manage_selinux) {
+# Set SELinux enforcing status.
 selinux_setenforce(system_app)
 
-# Allow settings app to set SELinux booleans
+# Set SELinux booleans.
 selinux_setbool(system_app)
 
-# Allow settings app to read syslog to display AVC messages
+# Read syslog to display AVC messages.
 allow system_app kernel:system syslog_read;
+}
 
+bool manage_mac true;
+if (manage_mac) {
+# Set properties via the init property service.
+unix_socket_connect(system_app, property, init)
+
+# Set the persist.mac_enforcing_mode property.
+allow system_app system_prop:property_service set;
+
+# Run logcat and read the logs for MAC denials.
+allow system_app system_file:file x_file_perms;
+allow system_app log_device:chr_file read;
 }
 
 #