From b8d794a1e08ddeecff89ded5fad0b7d2923adc4e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 16 Jan 2016 08:02:21 -0800
Subject: [PATCH] priv_app.te: drop auditallows on cache_recovery_file

This is actually used. Addresses the following SELinux audit logs:

  avc: granted { create } for comm="Thread-157" name="uncrypt_file" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file
  avc: granted { add_name } for comm="Thread-157" name="uncrypt_file" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
  avc: granted { write } for comm="Thread-157" path="/cache/recovery/uncrypt_file" dev="mmcblk0p38" ino=22 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file
  avc: granted { write } for comm="Thread-157" path="/cache/recovery/command" dev="mmcblk0p38" ino=23 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file
  avc: granted { setattr } for comm="Thread-157" name="uncrypt_file" dev="mmcblk0p38" ino=22 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file

Change-Id: Idab00ebc8eacd7d8bb793b9342249227f91986a1
---
 priv_app.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/priv_app.te b/priv_app.te
index bd98ab7a0..dc792e8f4 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -36,9 +36,6 @@ allow priv_app mnt_media_rw_file:dir search;
 allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
 allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
 
-auditallow priv_app cache_recovery_file:dir no_w_dir_perms;
-auditallow priv_app cache_recovery_file:file no_w_file_perms;
-
 # Access to /data/media.
 allow priv_app media_rw_data_file:dir create_dir_perms;
 allow priv_app media_rw_data_file:file create_file_perms;
-- 
GitLab