Only allow toolbox exec where /system exec was already allowed.

When the toolbox domain was introduced, we allowed all domains to exec it to avoid breakage. However, only domains that were previously allowed the ability to exec /system files would have been able to do this prior to the introduction of the toolbox domain. Remove the rule from domain.te and add rules to all domains that are already allowed execute_no_trans to system_file. Requires coordination with device-specific policy changes with the same Change-Id. Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2015-08-25 11:47:53 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> 2015-08-25 11:47:53 -0400
commit: af73edbc440e649b4e6085fedb40af5b80cb5e2f (patch)
tree: b3651801183ebf3c1e042a3b85bab750b7cccb8e
parent: 43e26c2412a4e695013e7c9b3a89cc6994c2ccb5 (diff)
download: grouper-af73edbc440e649b4e6085fedb40af5b80cb5e2f.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/sepolicy/sensors_config.te b/sepolicy/sensors_config.te
index 1a42a44..f4bd77d 100644
--- a/sepolicy/sensors_config.te
+++ b/sepolicy/sensors_config.te
@@ -10,6 +10,7 @@ file_type_auto_trans(sensors_config, system_data_file, sensors_data_file)
 # Execute toolbox commands
 allow sensors_config shell_exec:file rx_file_perms;
 allow sensors_config system_file:file execute_no_trans;
+allow sensors_config toolbox_exec:file rx_file_perms;
 
 # Mount /dev/block/platform/sdhci-tegra.3/by-name/PER
 allow sensors_config sensors_data_file:dir mounton;
author	Stephen Smalley <sds@tycho.nsa.gov>	2015-08-25 11:47:53 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	2015-08-25 11:47:53 -0400
commit	af73edbc440e649b4e6085fedb40af5b80cb5e2f (patch)
tree	b3651801183ebf3c1e042a3b85bab750b7cccb8e
parent	43e26c2412a4e695013e7c9b3a89cc6994c2ccb5 (diff)
download	grouper-af73edbc440e649b4e6085fedb40af5b80cb5e2f.tar.gz