From 9c5b4a8a443abfd72db79a74c1dbe990bfcb0210 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 22 Dec 2015 09:40:03 -0800
Subject: [PATCH] shell.te: allow rules before neverallow rules

By convention, allow rules should be placed before neverallow rules.

Change-Id: Icb9155bcce1f77bebbf9dc83a8c7b97e161c88a5
---
 shell.te | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/shell.te b/shell.te
index f87027daf..9622905b4 100644
--- a/shell.te
+++ b/shell.te
@@ -112,6 +112,14 @@ allow shell bootchart_data_file:file create_file_perms;
 # Make sure strace works for the non-privileged shell user
 allow shell self:process ptrace;
 
+
+# Allow access to ion memory allocation device.
+allow shell ion_device:chr_file rw_file_perms;
+
+###
+### Neverallow rules
+###
+
 # Do not allow shell to hard link to any files.
 # In particular, if shell hard links to app data
 # files, installd will not be able to guarantee the deletion
@@ -119,6 +127,3 @@ allow shell self:process ptrace;
 # bugs, so we want to ensure the shell user never has this
 # capability.
 neverallow shell file_type:file link;
-
-# Allow access to ion memory allocation device.
-allow shell ion_device:chr_file rw_file_perms;
-- 
GitLab