commit cf141426d45067f4a9709d3cf79eef3609d63ab1
author Geremy Condra <gcondra@google.com> Thu Mar 21 20:59:46 2013 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Mar 21 20:59:47 2013 +0000
tree 7883f86ba5b510ce8e9358377fe41b5b4acd69b4
parent 9aea69c004b2c2ce12458374ae32482775f599f4
parent 193d1292fab464bde1e785b27b019cc869aac8a8

Merge "Strengthen setenforce and setbool assertions"

assert.te

diff --git a/assert.te b/assert.te
index 1f12c5e..85cb48b 100644
--- a/assert.te
+++ b/assert.te
@@ -16,7 +16,7 @@
 
 # Setting SELinux enforcing status or booleans.
 # Conditionally allowed to system_app for SEAndroidManager.
-neverallow { appdomain -system_app } kernel:security { setenforce setbool };
+neverallow { domain -unconfineddomain -system -system_app } kernel:security { setenforce setbool };
 
 # Load security policy.
 neverallow appdomain kernel:security load_policy;