shell.te: allow rules before neverallow rules

By convention, allow rules should be placed before neverallow rules. Change-Id: Icb9155bcce1f77bebbf9dc83a8c7b97e161c88a5

shell.te: allow rules before neverallow rules
9c5b4a8a · Nick Kralevich · 96b1c9ca · 9c5b4a8a
Commit 9c5b4a8a authored 9 years ago by Nick Kralevich
--- a/shell.te
+++ b/shell.te
@@ -112,6 +112,14 @@ allow shell bootchart_data_file:file create_file_perms;
 # Make sure strace works for the non-privileged shell user
 allow shell self:process ptrace;

+
+# Allow access to ion memory allocation device.
+allow shell ion_device:chr_file rw_file_perms;
+
+###
+### Neverallow rules
+###
+
 # Do not allow shell to hard link to any files.
 # In particular, if shell hard links to app data
 # files, installd will not be able to guarantee the deletion
@@ -119,6 +127,3 @@ allow shell self:process ptrace;
 # bugs, so we want to ensure the shell user never has this
 # capability.
 neverallow shell file_type:file link;
-
-# Allow access to ion memory allocation device.
-allow shell ion_device:chr_file rw_file_perms;