From 30707a457d05c34737574c4f8567061dc69ddb60 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 5 Jan 2015 15:59:25 -0800
Subject: [PATCH] init.te: remove unactionable auditallow statements

Commit 0d08d4721a8c18b7d5f7dccde467c3840c03b9a8 added two auditallow
statements. The intented purpose of the auditallow statement was:

  auditallow accesses by init to files
  and character devices left in the generic device type so we can monitor
  what is being left there, although it is not necessarily a problem unless
  the file or device should be accessible to others.

As currently written, the auditallow rules aren't actionable. It's not
a problem by itself for init to access a /dev file or chr_file.
Rather, we care about when other domains access such files.

Currently, this generates a number of (expected) audit statements on
boot, which causes unnecessary confusion and makes people believe
that something is broken.

Remove the unactionable auditallow statements.

Change-Id: Ibfe33976505a7dc3f8d15c9eb203c044a39da426
---
 init.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/init.te b/init.te
index d78ca497a..4ec07f7af 100644
--- a/init.te
+++ b/init.te
@@ -212,14 +212,12 @@ allow init hw_random_device:chr_file r_file_perms;
 # TODO:  Move these files into their own type unless they are
 # only ever accessed by init.
 allow init device:file create_file_perms;
-auditallow init device:file create_file_perms;
 
 # Access character devices without a specific type,
 # e.g. /dev/keychord.
 # TODO: Move these devices into their own type unless they
 # are only ever accessed by init.
 allow init device:chr_file { rw_file_perms setattr };
-auditallow init device:chr_file { rw_file_perms setattr };
 
 # keychord configuration
 allow init self:capability sys_tty_config;
-- 
GitLab