Remove service_manager_local_audit_domain.

service_manager_local_audit_domain was used to fine tune the service_manager auditallow rules when introducing the service_manager SELinux rules. This is no longer needed. (cherry-pick of commit: eab26faa) Bug: 21656807 Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75

Remove service_manager_local_audit_domain.
4b4b2b92 · dcashman · 93a7ab8c · 4b4b2b92 · 4b4b2b92 · 4b4b2b92
Commit 4b4b2b92 authored 9 years ago by dcashman
--- a/attributes
+++ b/attributes
@@ -73,6 +73,3 @@ attribute bluetoothdomain;

 # All domains used for binder service domains.
 attribute binderservicedomain;
-
-# All domains that are excluded from the domain.te auditallow.
-attribute service_manager_local_audit;
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -109,6 +109,5 @@ allow dumpstate tombstone_data_file:file r_file_perms;

 allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
-service_manager_local_audit_domain(dumpstate)

 allow dumpstate devpts:chr_file rw_file_perms;
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,8 +18,6 @@ allow isolated_app app_data_file:file { read write getattr lock };
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;

-service_manager_local_audit_domain(isolated_app)
-
 # only allow unprivileged socket ioctl commands
 allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;


--- a/shell.te
+++ b/shell.te
@@ -63,7 +63,6 @@ allow shell kernel:system syslog_read;
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
 allow shell { service_manager_type -gatekeeper_service }:service_manager find;
-service_manager_local_audit_domain(shell)

 # allow shell to look through /proc/ for ps, top
 allow shell domain:dir { search open read getattr };

--- a/su.te
+++ b/su.te
@@ -50,5 +50,4 @@ userdebug_or_eng(`
  dontaudit su domain:debuggerd *;
  dontaudit su domain:drmservice *;
  dontaudit su unlabeled:filesystem *;
-  service_manager_local_audit_domain(su)
 ')
--- a/te_macros
+++ b/te_macros
@@ -346,14 +346,6 @@ define(`use_keystore', `
  binder_call($1, keystore)
 ')

-###########################################
-# service_manager_local_audit_domain(domain)
-# Has its own auditallow rule on service_manager
-# and should be excluded from the domain.te auditallow.
-define(`service_manager_local_audit_domain', `
-  typeattribute $1 service_manager_local_audit;
-')
-
 ###########################################
 # use_drmservice(domain)
 # Ability to use DrmService which requires