Earlier changes had extended the rules, but some additional changes
are needed.

avc: denied { relabelfrom } for name="vmdl-723825123.tmp"
    dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0
    tcontext=u:object_r:apk_data_file:s0 tclass=dir

Bug: 14975160
Change-Id: Ia644c73ec10460a2a529fe197ade6afe46694651

* commit '51ad2ad3':
  recovery: start enforcing SELinux rules

* commit 'c2ba5ed9':
  recovery: start enforcing SELinux rules

Start enforcing SELinux rules for recovery. I've been monitoring
denials, and I haven't seen anything which would indicate a problem.
We can always roll this back if something goes wrong.

Change-Id: I7d3a147f8b9000bf8181d2aa32520f15f291a6f3

* commit 'b23905e5':
  fix build.

* commit '3508d611':
  fix build.

  libsepol.check_assertion_helper: neverallow on line 166 of external/sepolicy/domain.te (or line 5056 of policy.conf) violated by allow recovery unlabeled:file { create };
  Error while expanding policy
  make: *** [out/target/product/generic/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery] Error 1

(cherry picked from commit 3508d611)

Change-Id: I5efa1f2040fc40df1df44ed1b8e84b6080cb8f74

  libsepol.check_assertion_helper: neverallow on line 166 of external/sepolicy/domain.te (or line 5056 of policy.conf) violated by allow recovery unlabeled:file { create };
  Error while expanding policy
  make: *** [out/target/product/generic/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery] Error 1

Change-Id: Iddf2cb8d0de2ab445e54a727f01be0b992b45ba5

* commit 'e9f1c019':
  recovery: allow relabelto unlabeled and other unlabeled rules

* commit '558710cd':
  recovery: allow relabelto unlabeled and other unlabeled rules

The recovery script may ask to label a file with a label not
known to the currently loaded policy. Allow it.

Addresses the following denials:

  avc:  denied  { relabelto } for  pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
  avc:  denied  { setattr } for  pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

Change-Id: Iafcc7b0b3aaea5a272adb1264233978365648f94

* commit '04aabbac':
  Add neverallow rules further restricing service_manager.

* commit 'c0088b80':
  Add neverallow rules further restricing service_manager.

* commit '7b7a25ea':
  ueventd: Add policy support for ueventd labeling changes

* commit 'b8bdfde3':
  ueventd: Add policy support for ueventd labeling changes

Currently, ueventd only modifies the SELinux label on a file
if the entry exists in /ueventd.rc. Add policy support to enable
an independent restorecon_recursive whenever a uevent message occurs.

Change-Id: I0ccb5395ec0be9282095b844a5022e8c0d8903ac

Add a neverallow rule that prevents domain from adding a
default_android_service. Add a neverallow rule that prevents
untrusted_app from ever adding a service through
servicemanager.

Change-Id: I963671fb1224147bb49ec8f0b6be0dcc91c23156

* commit '80e22de8':
  system_server: bring back sdcard_type neverallow rule

* commit '185de528':
  Remove -unconfineddomain from neverallow rules

* commit '5b2ed833':
  system_server: bring back sdcard_type neverallow rule

* commit 'be660697':
  Remove -unconfineddomain from neverallow rules

Many of the neverallow rules have -unconfineddomain. This was
intended to allow us to support permissive_or_unconfined(), and
ensure that all domains were enforcing at least a minimal set of
rules.

Now that all the app domains are in enforcing / confined, there's
no need to allow for these exceptions. Remove them.

Change-Id: Ieb29872dad415269f7fc2fe5be5a3d536d292d4f

* commit '9523f237':
  recovery: allow creating and reading fuse filesystems

We had disabled the neverallow rule when system_server was
in permissive_or_unconfined(), but forgot to reenable it.
Now that system_server is in enforcing/confined, bring it
back.

Change-Id: I6f74793d4889e3da783361c4d488b25f804ac8ba

* commit '93d849b6':
  recovery: allow creating and reading fuse filesystems

The new sideloading mechanism in recovery needs to create a fuse
filesystem and read files from it.

Change-Id: I22e1f7175baf401d2b75c4be6673ae4b75a0ccbf

* commit 'b5a39ee1':
  Trivial change to support different SELinux policies for third party apps

* commit '4be31900':
  Trivial change to support different SELinux policies for third party apps

Needed to support https://android-review.googlesource.com/80871

Change-Id: Iba569c046135c0e81140faf6296c5da26a243037

am 016e7f71: am 77eb3526: Grant Bluetooth CAP_WAKE_ALARM so it can use the POSIX timer API for wake alarms.

* commit '016e7f71':
  Grant Bluetooth CAP_WAKE_ALARM so it can use the POSIX timer API for wake alarms.

* commit '77eb3526':
  Grant Bluetooth CAP_WAKE_ALARM so it can use the POSIX timer API for wake alarms.

Change-Id: Ic7b25e79116b90378e5e89a879d8e6b87e4f052e

* commit '3602071c':
  Remove keystore auditallow statements from system.

* commit '596bcc76':
  Remove keystore auditallow statements from system.

Remove the auditallow statements related to keystore
in system_app and system_server.

Change-Id: I1fc25ff475299ee020ea19f9b6b5811f8fd17c28

* commit '0d9cefbb':
  Remove auditallow statements causing log spam.

* commit '22e0c414':
  Remove auditallow statements causing log spam.

Remove the auditallow statements from app.te and
binderservicedomain.te which were causing log spam.

Change-Id: If1c33d1612866df9f338e6d8c19d73950ee028eb