Stephen Smalley | 6d10ca8 | 2014-01-13 09:45:45 -0500 | [diff] [blame] | 1 | # recovery console (used in recovery init.rc for /sbin/recovery) |
| 2 | type recovery, domain; |
| 3 | allow recovery rootfs:file entrypoint; |
| 4 | unconfined_domain(recovery) |
| 5 | relabelto_domain(recovery) |
| 6 | |
Stephen Smalley | 04ee5df | 2014-01-30 13:23:08 -0500 | [diff] [blame] | 7 | allow recovery self:capability2 mac_admin; |
| 8 | |
Stephen Smalley | 6d10ca8 | 2014-01-13 09:45:45 -0500 | [diff] [blame] | 9 | allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto; |
| 10 | allow recovery unlabeled:filesystem mount; |
Stephen Smalley | b081cc1 | 2014-02-10 13:29:38 -0500 | [diff] [blame] | 11 | allow recovery fs_type:filesystem *; |
Stephen Smalley | 6d10ca8 | 2014-01-13 09:45:45 -0500 | [diff] [blame] | 12 | |
| 13 | allow recovery self:process execmem; |
Stephen Smalley | 9fe4e7b | 2014-01-13 15:32:11 -0500 | [diff] [blame] | 14 | allow recovery ashmem_device:chr_file execute; |
Stephen Smalley | 9a40702 | 2014-01-13 14:03:47 -0500 | [diff] [blame] | 15 | allow recovery tmpfs:file rx_file_perms; |
Stephen Smalley | 5487ca0 | 2014-02-10 16:31:04 -0500 | [diff] [blame^] | 16 | |
| 17 | ## TODO: Investigate whether it is safe to remove these |
| 18 | allow recovery self:capability { sys_rawio mknod }; |
| 19 | auditallow recovery self:capability { sys_rawio mknod }; |