Restrict the ability to set SELinux enforcing mode to init. Also make su and shell permissive in non-user builds to allow use of setenforce without violating the neverallow rule. Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: d99e6d5fa135882bb51878a3c68ed3a2aebe7d04 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Mon Dec 02 14:18:11 2013 -0500
committer: Stephen Smalley <sds@tycho.nsa.gov> Mon Dec 02 15:59:04 2013 -0500
tree: 1c4cc818450c8a48b30cb267f3aeb7149c7a437d
parent: 51ce2f00c5410574015ba751b6e03fbddf12c176 [diff] [blame]
diff --git a/shell.te b/shell.te
index 8b51003..032f70f 100644
--- a/shell.te
+++ b/shell.te

@@ -6,3 +6,6 @@
 # Run app_process.
 # XXX Split into its own domain?
 app_domain(shell)
+
+# shell is also permissive to permit setenforce.
+permissive shell;
commit	d99e6d5fa135882bb51878a3c68ed3a2aebe7d04	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Mon Dec 02 14:18:11 2013 -0500
committer	Stephen Smalley <sds@tycho.nsa.gov>	Mon Dec 02 15:59:04 2013 -0500
tree	1c4cc818450c8a48b30cb267f3aeb7149c7a437d
parent	51ce2f00c5410574015ba751b6e03fbddf12c176 [diff] [blame]