This reverts commit 525e3747.

Change-Id: I64f72073592f7f7553e763402a40c467c639cfce

(cherry picked from commit bbd56b71)

Change-Id: I0db435b80678a58cd9a6fbd5d67ba08f8e8d3cd4

* commit '6b82aaeb':
  Revert "SELinux policy changes for re-execing init."

* commit '6d97d9b8':
  Revert "SELinux policy changes for re-execing init."

shamu isn't booting.

This reverts commit 46e832f5.

Change-Id: Ib697745a9a1618061bc72f8fddd7ee88c1ac5eca

* commit 'f17bbab7':
  SELinux policy changes for re-execing init.

* commit 'b1b5e662':
  allow adbd to set sys.usb.ffs.ready

* commit 'ecd57731':
  SELinux policy changes for re-execing init.

* commit 'caefbd71':
  allow adbd to set sys.usb.ffs.ready

Needed for https://android-review.googlesource.com/147730

Change-Id: Iceb87f210e4c5d0f39426cc6c96a216a4644eaa9

Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448

* commit '268425b7':
  gatekeeperd: use more specific label for /data file

* commit '934cf6ea':
  gatekeeperd: use more specific label for /data file

* commit '479a536a':
  Grant apps write access to returned vfat FDs.

* commit 'e98cda25':
  Grant apps write access to returned vfat FDs.

* commit 'bb0385e2':
  Grant platform apps access to /mnt/media_rw.

Users can pick files from vfat devices through the Storage Access
Framework, which are returned through ParcelFileDescriptors.  Grant
apps write access to those files.  (Direct access to the files on
disk is still controlled through normal filesystem permissions.)

avc: denied { write } for pid=3235 comm="Binder_1" path=2F6D6E742F6D656469615F72772F373243322D303446392F6D656F772F6D79206469722F706963322E706E67 dev="sdb1" ino=87 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I24b4d8826f0a35825b2abc63d1cfe851e1c1bfe9

* commit 'c9036fb1':
  Grant platform apps access to /mnt/media_rw.

Raw physical storage devices are mounted by vold under /mnt/media_rw
and then wrapped in a FUSE daemon that presents them under /storage.

Normal apps only have access through /storage, but platform apps
(such as ExternalStorageProvider) often bypass the FUSE daemon for
performance reasons.

avc: denied { search } for pid=6411 comm="Binder_1" name="media_rw" dev="tmpfs" ino=6666 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { write } for pid=3701 comm="Binder_2" name="PANO_20131016_162457.jpg" dev="sda1" ino=127 scontext=u:r:platform_app:s0:c522,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad

Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5

* commit 'ab2ff479':
  New rules for SID access

* commit '6db824a7':
  New rules for SID access

Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e

* commit 'f06090af':
  neverallow shell file_type:file link

* commit 'd18f1482':
  su.te: add filesystem dontaudit rule

* commit '490a7a8a':
  neverallow shell file_type:file link

* commit '85416e06':
  su.te: add filesystem dontaudit rule

Change-Id: I77ce4331d70edebcecc753b2e67ffab1de3ae98e

Addresses su denials which occur when mounting filesystems not
defined by policy.

Addresses denials similar to:

  avc: denied { mount } for pid=12361 comm="mount" name="/" dev="binfmt_misc" ino=1 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=1

Change-Id: Ifa0d7c781152f9ebdda9534ac3a04da151f8d78e

This was only used on grouper, which is now EOLd.

Change-Id: Idb65930bb214fdb3339b18fae94ffb3f6ac391c5

fcdd3546 Add permission for Bluetooth Sim Access Profile

Change-Id: I9b40b17be0c9bf08ca48ad34d3718d421ec6466e

* commit '38885bc4':
  Add neverallow for mounting on proc

* commit 'e96c3abe':
  Add neverallow for mounting on proc