Apply full_treble_only to whole rule. The way we build and run CTS expects full_treble_only and compatible_property_only macros to be applied to whole rules and not be nested inside other rules. Fixes: 122601363 Test: corresponding neverallow rule in auto-generated SELinuxNeverallowRulesTest.java is parsed correctly. Change-Id: Ibf5187cedca72510fe74c6dc55a75a54a86c02ff

commit: 1e99de5779a130fa4d450791a8eb88d4b9cad5c4 [log] [tgz]
author: Tri Vo <trong@google.com> Wed Jan 09 16:37:04 2019 -0800
committer: Tri Vo <trong@google.com> Wed Jan 09 16:57:09 2019 -0800
tree: f40a4d7e5885b17cafd9960c0283d1a5cf0797d5
parent: a739746990b3b64a5365f4545c1b548dc2f76822 [diff]
diff --git a/private/coredomain.te b/private/coredomain.te
index 7413515..1fc3b8a 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te

@@ -178,7 +178,10 @@
 neverallow coredomain {
   iio_device
   radio_device
-  # TODO(b/120243891): HAL permission to tee_device is included into coredomain
-  # on non-Treble devices.
-  full_treble_only(`tee_device')
 }:chr_file { open read append write ioctl };
+
+# TODO(b/120243891): HAL permission to tee_device is included into coredomain
+# on non-Treble devices.
+full_treble_only(`
+  neverallow coredomain tee_device:chr_file { open read append write ioctl };
+')
commit	1e99de5779a130fa4d450791a8eb88d4b9cad5c4	[log] [tgz]
author	Tri Vo <trong@google.com>	Wed Jan 09 16:37:04 2019 -0800
committer	Tri Vo <trong@google.com>	Wed Jan 09 16:57:09 2019 -0800
tree	f40a4d7e5885b17cafd9960c0283d1a5cf0797d5
parent	a739746990b3b64a5365f4545c1b548dc2f76822 [diff]