Allow different SELinux policies for third party apps.
Prior support forced all third party apps
to be resolved against the default stanza
of the mac_permissions.xml file when assigning
seinfo labels. This meant that all third party
apps, in effect, were untrusted regardless of
cert and therefore received the same selinux domain.
This also had the unfortunate side effect of forcing
certain third party apps into the wrong domains
because of shared userid requests among apps.
This patch removes that restriction and instead
allows all apps, regardless of location, to be
matched against the full mac_permissions.xml
policy file. This then allows all apps signed
with known good certs to receive the same selinux
domains of other apps with whom they share trust.
Change-Id: Iba569c046135c0e81140faf6296c5da26a243037
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
1 file changed