Enable selinux read_policy for adb pull. Remove permission from appdomain. Bug: 16866291 Change-Id: I37936fed33c337e1ab2816258c2aff52700af116

commit: 309cc668f9da5a3e4df7ecd44f3618864e4cf7eb [log] [tgz]
author: dcashman <dcashman@google.com> Tue Sep 09 11:38:42 2014 -0700
committer: dcashman <dcashman@google.com> Tue Sep 09 14:28:25 2014 -0700
tree: d4cdb15bcec0d4b1ac54505ff72b32c6bb4dca87
parent: abfd427a3226a8bb696e5e5b9239f5445a680f6c [diff]
diff --git a/adbd.te b/adbd.te
index 58fdead..b0f5895 100644
--- a/adbd.te
+++ b/adbd.te

@@ -68,3 +68,5 @@
 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
 allow adbd zygote_exec:file r_file_perms;
 allow adbd system_file:file r_file_perms;
+
+allow adbd kernel:security read_policy;

diff --git a/app.te b/app.te
index 6c38f10..615b39e 100644
--- a/app.te
+++ b/app.te

@@ -170,8 +170,6 @@
 # Check SELinux policy and contexts.
 selinux_check_access(appdomain)
 selinux_check_context(appdomain)
-# Enable reading of current selinux policy file
-allow appdomain kernel:security read_policy;
 # Validate that each process is running in the correct security context.
 allow appdomain domain:process getattr;
commit	309cc668f9da5a3e4df7ecd44f3618864e4cf7eb	[log] [tgz]
author	dcashman <dcashman@google.com>	Tue Sep 09 11:38:42 2014 -0700
committer	dcashman <dcashman@google.com>	Tue Sep 09 14:28:25 2014 -0700
tree	d4cdb15bcec0d4b1ac54505ff72b32c6bb4dca87
parent	abfd427a3226a8bb696e5e5b9239f5445a680f6c [diff]