Grant all privileges to programs with "User" and "System" Smack labels

Now with application labels no longer hardcoded to "User", it's time to
work on actual policy enforcment in services. Platform components that are
not downloadabla applications will run with "User" and "System" labels (for
User and System domains). They should not be restricted by Cynara.

Change-Id: I62ea8295804f3ad04b1a538642d2098aab45cb48
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>

diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
index 807daf370f8aaf926d7297b8b24c120d4d2571be..d15cec5062c7074481fd14f3e5c5ff8f8cb487a8 100755 (executable)
--- a/policy/security-manager-policy-reload
+++ b/policy/security-manager-policy-reload
@@ -5,7 +5,7 @@ USERTYPE_POLICY_PATH=/usr/share/security-manager/policy
 # Create default buckets
 while read bucket default_policy
 do
-    # Reuse the main bucket for PRIVACY_MANAGER bucket
+    # Reuse the primary bucket for PRIVACY_MANAGER bucket
     [ "$bucket" = "PRIVACY_MANAGER" ] && bucket=""
     cyad --set-bucket="$bucket" --type="$default_policy"
 done <<END
@@ -50,3 +50,9 @@ do
     done |
     cyad --set-policy --bulk=-
 done
+
+# Non-application programs get access to all privileges
+for client in User System
+do
+    cyad --set-policy --bucket=MAIN --client="$client" --user="*" --privilege="*" --type=ALLOW
+done