Allow execution of /system/bin/ip commands.

netmgrd can run ip commands, allow this. Remove dontaudit rules related to running external helpers. This will generate some log noise on boot due to sh -c 'rm /data/data_test/modem_port_status' commands but could otherwise conceal denied execution of other helper programs. Change-Id: I4ae3870c3d58a0b39eeb767310b045416265940c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2014-04-08 08:28:42 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> 2014-04-08 08:30:24 -0400
commit: 91a544259f6dc5f72717c3669b1d56549d7b69e3 (patch)
tree: e5c4f1ce10503d8b84ee094916427fd81e994958 /sepolicy
parent: c6ec60d19972247892113ab2e63e1a1c856bf425 (diff)
1 files changed, 2 insertions, 4 deletions
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index a7f5267..90f68f2 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -20,10 +20,8 @@ allow netmgrd self:rawip_socket create_socket_perms;
 # Talk to qmuxd (qmux_radio)
 qmux_socket(netmgrd)
 
-# Tries to access /data/data_test/ with toolbox. The data_test
-# directory doesn't exist so deny access.
-dontaudit netmgrd shell_exec:file rx_file_perms;
-dontaudit netmgrd system_file:file execute_no_trans;
+# Runs /system/bin/ip addr flush dev <device> commands.
+allow netmgrd system_file:file execute_no_trans;
 
 # set net.rmnet* properties.
 unix_socket_connect(netmgrd, property, init)
author	Stephen Smalley <sds@tycho.nsa.gov>	2014-04-08 08:28:42 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	2014-04-08 08:30:24 -0400
commit	91a544259f6dc5f72717c3669b1d56549d7b69e3 (patch)
tree	e5c4f1ce10503d8b84ee094916427fd81e994958 /sepolicy
parent	c6ec60d19972247892113ab2e63e1a1c856bf425 (diff)