resolved conflicts for merge of c06d0fef to klp-modular-dev-plus-aosp

Change-Id: I3c26b36866c58c1f25a7d82c70cd29d30d8828e0

domain.te

@@ -142,31 +142,13 @@ allow domain security_file:lnk_file r_file_perms;
 allow domain asec_public_file:file r_file_perms;
 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 
-# World readable asec image contents
-allow domain asec_public_file:file r_file_perms;
-allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
-
-######## Backwards compatibility - Unlabeled files ############
-
-# Revert to DAC rules when looking at unlabeled files. Over time, the number
-# of unlabeled files should decrease.
-# TODO: delete these rules in the future.
-#
-# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
-# capability, it's essentially useless. This is needed to allow an app with
-# relabelto to relabel unlabeled files.
-#
-allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-allow domain unlabeled:dir { create_dir_perms relabelfrom };
-auditallow { domain -init } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-auditallow { domain -init -kernel } unlabeled:dir { create_dir_perms relabelfrom };
-auditallow kernel unlabeled:dir ~search;
-neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
-
 ###
 ### neverallow rules
 ###
 
+# Limit ability to relabel files to domains marked with relabelto_domain().
+neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
+
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;