Split system_app from system.
system_app is for apps that run in the system UID, e.g. Settings.
system is for the system_server.
Split them into separate files and note their purpose in the comment
header of each file.
Change-Id: I19369abc728ba2159fd50ae6b230828857e19f10
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/system.te b/system.te
index 3dda4b4..f29367c 100644
--- a/system.te
+++ b/system.te
@@ -1,8 +1,7 @@
-type system_app, domain;
-permissive system_app;
-app_domain(system_app)
-unconfined_domain(system_app)
-
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
type system, domain;
permissive system;
unconfined_domain(system);
diff --git a/system_app.te b/system_app.te
new file mode 100644
index 0000000..61a18db
--- /dev/null
+++ b/system_app.te
@@ -0,0 +1,9 @@
+#
+# Apps that run with the system UID, e.g. com.android.system.ui,
+# com.android.settings. These are not as privileged as the system
+# server.
+#
+type system_app, domain;
+permissive system_app;
+app_domain(system_app)
+unconfined_domain(system_app)