This reverts commit 22fc0410

Change-Id: I2d91b1262e8d0e82a21ea7c5333b1e86f3ed9bee

* commit '6d6c617f':
  Whitespace and doxygen fix

* commit 'ee80bfb9':
  Add policy assertions (neverallow rules).

* commit 'c0890c89':
  Allow domain to random_device

* commit '6a64897a':
  Do not allow access to device:chr_file for system

* commit '1c8464e1':
  App data backup security policy.

* commit 'c57dbccb':
  Change security policy so all apps can read /dev/xt_qtaguid.

* commit '5988bbf8':
  Dynamic insertion of pubkey to mac_permissions.xml

* commit '04598de8':
  Replaceable mac_permission.xml support

* commit '669f6792':
  mediaserver.te refactor

* commit 'eeafabde':
  Label persist audio properties

Change-Id: I384ea9516a5ed2369f7fa703499e284e29a2c0eb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Also labels /dev/mpu and /dev/mpuirq as gps device.
mpu is motion processing unit and is resposible for
gyroscope functionality.

Change-Id: If7f1a5752c550b72fac681566e1052f09e139ff0

Policy covers:

 * backup_data_file type for labeling all
   files/dirs under /data dealing with
   backup mechanism.

 * cache_backup_file type for labeling all
   files/dirs under /cache dealing with
   backup mechanism. This also covers the
   the use of LocalTransport for local archive
   and restore testing.

 * the use of 'adb shell bmgr' to initiate
   backup mechanism from shell.

 * the use of 'adb backup/restore' to archive
   and restore the device's data.

Change-Id: I700a92d8addb9bb91474bc07ca4bb71eb4fc840e
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

* commit 'e468016b':
  zygote requires setpcap in order to drop from its bounding set.

I8560fa5ad125bf31f0d13be513431697bc7d22bb changed the zygote
to limit the bounding capability set to CAP_NET_RAW.  This triggers
a CAP_SETPCAP check by the kernel, which requires SELinux setpcap permission.

Change-Id: Ib910d97dcf708273e2806e2824f4abe9fc239d6d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I1a728cbc78e30c0b43309acc125169528d352f11

* commit '58b0fb6d':
  Fix invalid specification for adb_keys.

A prior change added an entry for adb_keys without any security context,
yielding warnings like the following during build:
out/target/product/manta/root/file_contexts:  line 7 is missing fields, skipping

This adds the missing security context field.

Change-Id: If48731c8aa7d22a3f547d0854f288ff68f9006da
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '92b9aa0e':
  add file_contexts entries for root filesystem

It may be useful to generate an ext4 image of the root filesystem
instead of using a ramdisk.  Whitelist entries in file_contexts to
support selinux labeling a root filesystem image.

Change-Id: I91a38d0aee4408c46cbfe5dc5e6eda198572e90f

Support the inseretion of the public key from pem
files into the mac_permissions.xml file at build
time.

Change-Id: Ia42b6cba39bf93723ed3fb85236eb8f80a08962a

Support overriding ma_permissions.xml
in BOARD_SEPOLICY_REPLACE

Change-Id: If0bca8bf29bc431a291b6d7b20de132e68cd6a79

Generic init.rc allows any process to use
socket tagging. Adjust app policy to ensure
that any app can read from the misc device.

Change-Id: I4076f0fbc1795f57a4227492f6bfc39a4398ffa5
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Change-Id: Ieaff9f3362c71e25e5c8e7204397a85ff14fff97

label all persist.audio.* properties
and allow mediaserver access to them.

Change-Id: If5755d9783dce298e66a25bcb7f17ff17bd83ea7

Change-Id: I7b6ad050051854120dc8031b17da6aec0e644be3

* commit 'e8848726':
  Add policy for run-as program.

* commit 'fdaa7869':
  README for configuration of selinux policy

* commit 'c34a2527':
  Allow shell to connect to property service

Add policy for run-as program and label it in file_contexts.
Drop MLS constraints on local socket checks other than create/relabel
as this interferes with connections with services, in particular for
adb forward.

Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I06ea2b400cc826c684b6ad25e12b021c2667b48a