am 6c4c27e6: Give domains read access to security_file domain.

* commit '6c4c27e6':
  Give domains read access to security_file domain.

debuggerd.te

@@ -9,7 +9,7 @@ allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:process ptrace;
-allow debuggerd rootfs:file r_file_perms;
+security_access_policy(debuggerd)
 allow debuggerd system_data_file:dir create_dir_perms;
 allow debuggerd system_data_file:dir relabelfrom;
 allow debuggerd tombstone_data_file:dir relabelto;

installd.te

@@ -18,8 +18,8 @@ allow installd cgroup:dir create_dir_perms;
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
-# Read /seapp_contexts, presently on the rootfs.
-allow installd rootfs:file r_file_perms;
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(installd)
 # ASEC
 allow installd platform_app_data_file:lnk_file { create setattr };
 allow installd app_data_file:lnk_file { create setattr };

runas.te

@@ -34,7 +34,8 @@ allow runas app_data_file:dir { getattr search };
 allow runas self:capability { setuid setgid };
 
 # run-as switches to the app security context.
-allow runas rootfs:file r_file_perms; # read /seapp_contexts
+# read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(runas)
 selinux_check_context(runas) # validate context
 allow runas untrusted_app:process dyntransition; # setcon
 

system.te

@@ -148,8 +148,8 @@ allow system tun_device:chr_file rw_file_perms;
 allow system data_file_type:dir create_dir_perms;
 allow system data_file_type:notdevfile_class_set create_file_perms;
 
-# Read /file_contexts.
-allow system rootfs:file r_file_perms;
+# Read /file_contexts and /data/security/file_contexts
+security_access_policy(system)
 
 # Relabel apk files.
 allow system { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };

te_macros

@@ -236,8 +236,6 @@ allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file r_file_perms;
 allow $1 rootfs:dir r_dir_perms;
 allow $1 rootfs:file r_file_perms;
-allow $1 system_file:dir r_dir_perms;
-allow $1 system_file:file r_file_perms;
 ')
 
 #####################################
@@ -285,4 +283,4 @@ allow $1 system_file:file x_file_perms;
 # man 2 klogctl
 define(`access_kmsg', `
 allow $1 kernel:system syslog_read;
-')
+')
\ No newline at end of file

ueventd.te

@@ -2,7 +2,7 @@
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
 tmpfs_domain(ueventd)
-allow ueventd rootfs:file r_file_perms;
+security_access_policy(ueventd)
 allow ueventd rootfs:file entrypoint;
 allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };

vold.te

@@ -60,6 +60,6 @@ allow vold vold_prop:property_service set;
 # ASEC
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;
-allow vold rootfs:file r_file_perms;
+security_access_policy(vold)
 allow vold asec_apk_file:dir { rw_dir_perms setattr };
 allow vold asec_apk_file:file { r_file_perms setattr };

zygote.te

@@ -28,8 +28,8 @@ allow zygote self:capability sys_admin;
 selinux_check_context(zygote)
 # Check SELinux permissions.
 selinux_check_access(zygote)
-# Read /seapp_contexts, presently on the rootfs.
-allow zygote rootfs:file r_file_perms;
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(zygote)
 
 # Setting up /storage/emulated.
 allow zygote rootfs:dir mounton;