Grant all privileges to programs with "User" and "System" Smack labels

Now with application labels no longer hardcoded to "User", it's time to
work on actual policy enforcment in services. Platform components that are
not downloadabla applications will run with "User" and "System" labels (for
User and System domains). They should not be restricted by Cynara.

Change-Id: I62ea8295804f3ad04b1a538642d2098aab45cb48
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>

diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
index 807daf3..d15cec5 100755 (executable)
--- a/policy/security-manager-policy-reload
+++ b/policy/security-manager-policy-reload
@@ -5,7 +5,7 @@ USERTYPE_POLICY_PATH=/usr/share/security-manager/policy
 # Create default buckets
 while read bucket default_policy
 do
-    # Reuse the main bucket for PRIVACY_MANAGER bucket
+    # Reuse the primary bucket for PRIVACY_MANAGER bucket
     [ "$bucket" = "PRIVACY_MANAGER" ] && bucket=""
     cyad --set-bucket="$bucket" --type="$default_policy"
 done <<END
@@ -50,3 +50,9 @@ do
     done |
     cyad --set-policy --bulk=-
 done
+
+# Non-application programs get access to all privileges
+for client in User System
+do
+    cyad --set-policy --bucket=MAIN --client="$client" --user="*" --privilege="*" --type=ALLOW
+done