Enable selinux read_policy for adb pull. Remove permission from appdomain. (cherry picked from commit 309cc668f9da5a3e4df7ecd44f3618864e4cf7eb) Bug: 16866291 Change-Id: I37936fed33c337e1ab2816258c2aff52700af116

commit: 3e6da1472f78be3e2fd3ac97da08530db5b6579e [log] [tgz]
author: dcashman <dcashman@google.com> Tue Sep 09 11:38:42 2014 -0700
committer: Nick Kralevich <nnk@google.com> Fri Sep 26 14:33:42 2014 -0700
tree: 414c8459636712c9910a03f504e638ef8189f91a
parent: 9ac7df22802e91c58ecc2e05a3f515962457a266 [diff]
diff --git a/adbd.te b/adbd.te
index a9a6355..9d3d30d 100644
--- a/adbd.te
+++ b/adbd.te

@@ -69,6 +69,8 @@
 allow adbd zygote_exec:file r_file_perms;
 allow adbd system_file:file r_file_perms;
 
+allow adbd kernel:security read_policy;
+
 service_manager_local_audit_domain(adbd)
 auditallow adbd {
     service_manager_type

diff --git a/app.te b/app.te
index 63ee7aa..491eea3 100644
--- a/app.te
+++ b/app.te

@@ -166,8 +166,6 @@
 # Check SELinux policy and contexts.
 selinux_check_access(appdomain)
 selinux_check_context(appdomain)
-# Enable reading of current selinux policy file
-allow appdomain kernel:security read_policy;
 # Validate that each process is running in the correct security context.
 allow appdomain domain:process getattr;
commit	3e6da1472f78be3e2fd3ac97da08530db5b6579e	[log] [tgz]
author	dcashman <dcashman@google.com>	Tue Sep 09 11:38:42 2014 -0700
committer	Nick Kralevich <nnk@google.com>	Fri Sep 26 14:33:42 2014 -0700
tree	414c8459636712c9910a03f504e638ef8189f91a
parent	9ac7df22802e91c58ecc2e05a3f515962457a266 [diff]