Move device specific policy to a local device_domain_deprecated attribute
to focus effort on core policy.
Bug: 28760354
Change-Id: Id08cc74a3a2c7b8ff242b3c6f26bd514e6855a48
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage. However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain. Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.
Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Move binaries from /system/etc to /system/bin. That's the proper
place for binaries, and avoids having to preface each service entry
with /system/bin/sh
* Drop seclabel statements and rely on automatic domain transitions.
* remove call to init.qcom.class_main.sh , which doesn't exist.
This gets rid of the following unnecessary errors:
<3>[ 5.286834] init: Warning! Service qcom-c_main-sh needs a SELinux domain defined; please fix!
<5>[ 5.288970] type=1400 audit(1425327865.651:5): avc: denied { execute_no_trans } for pid=191 comm="init" path="/system/bin/sh" dev="mmcblk0p22" ino=341 scontext=u:r:init:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
Fix some other minor policy issues.
Change-Id: Ib47d49b6c239ab7a2ebe6159465deb98b4b8cecb
Bring policy over from the mako board which
has a lot of similar domains and services.
mako is also a Qualcomm board which allows
a lot of that policy to be directly brought
over and applied.
Included in this are some radio specific
pieces. Though not directly applicable to
flo, the deb board inherits this policy.
Change-Id: I6b294c7dc830189c08f1f981a239234a2c3f577f
followmsi
Jeff Vander Stoep
Stephen Smalley
Nick Kralevich
Robert Craig