Merge "Move python sepolicy tests to embedded launcher"
diff --git a/public/domain.te b/public/domain.te
index c471a50..9bc9e4e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -39,7 +39,6 @@
allow domain su:unix_stream_socket { getattr getopt read write shutdown };
allow { domain -init } su:binder { call transfer };
- allow { domain -init } su:fd use;
# Running something like "pm dump com.android.bluetooth" requires
# fifo writes
diff --git a/public/update_engine.te b/public/update_engine.te
index b8f0035..f67afc2 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -39,3 +39,13 @@
# Use Boot Control HAL
hal_client_domain(update_engine, hal_bootctl)
+
+# access /proc/misc and /proc/sys/kernel/random/boot_id
+allow update_engine proc:file r_file_perms;
+allow update_engine proc_misc:file r_file_perms;
+
+# read directories on /system and /vendor
+allow update_engine system_file:dir r_dir_perms;
+
+# Read files in /sys
+r_dir_file(update_engine, sysfs)
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 7680e07..61d393a 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -37,13 +37,3 @@
# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop sigkill };
-
-# access /proc/misc and /proc/sys/kernel/random/boot_id
-allow update_engine proc:file r_file_perms;
-allow update_engine proc_misc:file r_file_perms;
-
-# read directories on /system and /vendor
-allow update_engine system_file:dir r_dir_perms;
-
-# Read files in /sys
-r_dir_file(uncrypt, sysfs)