diff --git a/domain.te b/domain.te index fba96f6a809fcdff0272f00eca90e73722b568e7..4917aedf88b9431ad32cf8b664f9a192a2622edf 100644 --- a/domain.te +++ b/domain.te @@ -266,7 +266,7 @@ neverallow domain init:binder *; # Don't allow raw read/write/open access to block_device # Rather force a relabel to a more specific type -neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write }; +neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write }; # Don't allow raw read/write/open access to generic devices. # Rather force a relabel to a more specific type. diff --git a/vold.te b/vold.te index 5abb2f95eefd19b191d0198381d6b0e00687bb14..5ecb5033fe12cbbc059ec016d765e78cffe632c1 100644 --- a/vold.te +++ b/vold.te @@ -28,8 +28,6 @@ allow vold system_file:file x_file_perms; allow vold toolbox_exec:file rx_file_perms; auditallow vold toolbox_exec:file rx_file_perms; allow vold block_device:dir create_dir_perms; -allow vold block_device:blk_file create_file_perms; -auditallow vold block_device:blk_file create_file_perms; allow vold device:dir write; allow vold devpts:chr_file rw_file_perms; allow vold rootfs:dir mounton;