1type runas, domain, mlstrustedsubject; 2type runas_exec, exec_type, file_type; 3 4allow runas adbd:fd use; 5allow runas adbd:process sigchld; 6allow runas adbd:unix_stream_socket { read write }; 7allow runas shell:fd use; 8allow runas shell:fifo_file { read write }; 9allow runas shell:unix_stream_socket { read write }; 10allow runas devpts:chr_file { read write ioctl }; 11allow runas shell_data_file:file { read write }; 12 13# run-as reads package information. 14allow runas system_data_file:file r_file_perms; 15 16# run-as checks and changes to the app data dir. 17dontaudit runas self:capability dac_override; 18allow runas app_data_file:dir { getattr search }; 19 20# run-as switches to the app UID/GID. 21allow runas self:capability { setuid setgid }; 22 23# run-as switches to the app security context. 24selinux_check_context(runas) # validate context 25allow runas self:process setcurrent; 26allow runas non_system_app_set:process dyntransition; # setcon 27 28# runas/libselinux needs access to seapp_contexts_file to 29# determine which domain to transition to. 30allow runas seapp_contexts_file:file r_file_perms; 31 32### 33### neverallow rules 34### 35 36# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID 37neverallow runas self:capability ~{ setuid setgid }; 38neverallow runas self:capability2 *; 39