From 06c008e9f0b250a1a50744d3efa33f1e4fffdddf Mon Sep 17 00:00:00 2001
From: Rafal Krypa <r.krypa@samsung.com>
Date: Thu, 5 Mar 2015 12:46:04 +0100
Subject: [PATCH] Grant all privileges to programs with "User" and "System"
 Smack labels

Now with application labels no longer hardcoded to "User", it's time to
work on actual policy enforcment in services. Platform components that are
not downloadabla applications will run with "User" and "System" labels (for
User and System domains). They should not be restricted by Cynara.

Change-Id: I62ea8295804f3ad04b1a538642d2098aab45cb48
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
---
 policy/security-manager-policy-reload | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
index 807daf3..d15cec5 100755
--- a/policy/security-manager-policy-reload
+++ b/policy/security-manager-policy-reload
@@ -5,7 +5,7 @@ USERTYPE_POLICY_PATH=/usr/share/security-manager/policy
 # Create default buckets
 while read bucket default_policy
 do
-    # Reuse the main bucket for PRIVACY_MANAGER bucket
+    # Reuse the primary bucket for PRIVACY_MANAGER bucket
     [ "$bucket" = "PRIVACY_MANAGER" ] && bucket=""
     cyad --set-bucket="$bucket" --type="$default_policy"
 done <<END
@@ -50,3 +50,9 @@ do
     done |
     cyad --set-policy --bulk=-
 done
+
+# Non-application programs get access to all privileges
+for client in User System
+do
+    cyad --set-policy --bucket=MAIN --client="$client" --user="*" --privilege="*" --type=ALLOW
+done
-- 
2.7.4