| type runas, domain, mlstrustedsubject; |
| type runas_exec, system_file_type, exec_type, file_type; |
| |
| allow runas adbd:fd use; |
| allow runas adbd:process sigchld; |
| allow runas adbd:unix_stream_socket { read write }; |
| allow runas shell:fd use; |
| allow runas shell:fifo_file { read write }; |
| allow runas shell:unix_stream_socket { read write }; |
| allow runas devpts:chr_file { read write ioctl }; |
| allow runas shell_data_file:file { read write }; |
| |
| # run-as reads package information. |
| allow runas system_data_file:file r_file_perms; |
| allow runas system_data_file:lnk_file getattr; |
| allow runas packages_list_file:file r_file_perms; |
| |
| # The app's data dir may be accessed through a symlink. |
| allow runas system_data_file:lnk_file read; |
| |
| # run-as checks and changes to the app data dir. |
| dontaudit runas self:global_capability_class_set { dac_override dac_read_search }; |
| allow runas app_data_file:dir { getattr search }; |
| |
| # run-as switches to the app UID/GID. |
| allow runas self:global_capability_class_set { setuid setgid }; |
| |
| # run-as switches to the app security context. |
| selinux_check_context(runas) # validate context |
| allow runas self:process setcurrent; |
| allow runas non_system_app_set:process dyntransition; # setcon |
| |
| # runas/libselinux needs access to seapp_contexts_file to |
| # determine which domain to transition to. |
| allow runas seapp_contexts_file:file r_file_perms; |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| # run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID |
| neverallow runas self:global_capability_class_set ~{ setuid setgid }; |
| neverallow runas self:global_capability2_class_set *; |