Allow netmgrd to execute sh. It invokes helper programs such as /system/bin/ip via sh -c. In the future, look at reworking netmgrd to directly invoke the helper programs and/or to transition to a different domain upon sh invocation to shed unnecessary permissions. Also rewrite the system_file rule for /system/bin/ip to use the rx_file_perms macro for consistency. Change-Id: I407d4503868e928dd876cce932fe6a96fcbd4e0d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 753cfa58698b5eef723c35eabb445d4509aacc13 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Wed Apr 09 08:19:04 2014 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Wed Apr 09 08:19:04 2014 -0400
tree: c6f897237c4087f05a93e7179979a622f4107d0a
parent: 6f5c0998fcbbe90fa356fb9307182e273cb2fb9d [diff]
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 90f68f2..7bec8bd 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te

@@ -20,8 +20,12 @@
 # Talk to qmuxd (qmux_radio)
 qmux_socket(netmgrd)
 
+# Runs commands via sh.
+# TODO:  Convert to direct exec of /system/bin/ip and any other helpers.
+allow netmgrd shell_exec:file rx_file_perms;
+
 # Runs /system/bin/ip addr flush dev <device> commands.
-allow netmgrd system_file:file execute_no_trans;
+allow netmgrd system_file:file rx_file_perms;
 
 # set net.rmnet* properties.
 unix_socket_connect(netmgrd, property, init)
commit	753cfa58698b5eef723c35eabb445d4509aacc13	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Wed Apr 09 08:19:04 2014 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Wed Apr 09 08:19:04 2014 -0400
tree	c6f897237c4087f05a93e7179979a622f4107d0a
parent	6f5c0998fcbbe90fa356fb9307182e273cb2fb9d [diff]