Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

commit: 91d398d802b4fbd33c2b88da9f56ecee8bdc363c [log] [tgz]
author: Dan Cashman <dcashman@google.com> Tue Sep 26 12:58:29 2017 -0700
committer: Dan Cashman <dcashman@google.com> Tue Sep 26 14:38:47 2017 -0700
tree: ae80a698d8f48b79a749eb9d0b1668402614c1d0
parent: 6922dfe3661ca7c4043f6ef9c6c61fdb9c7fa89a [diff] [blame]
diff --git a/private/priv_app.te b/private/priv_app.te
index 109c869..60fb411 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -27,7 +27,6 @@
 allow priv_app mediacodec_service:service_manager find;
 allow priv_app mediametrics_service:service_manager find;
 allow priv_app mediadrmserver_service:service_manager find;
-allow priv_app mediacasserver_service:service_manager find;
 allow priv_app mediaextractor_service:service_manager find;
 allow priv_app mediaserver_service:service_manager find;
 allow priv_app nfc_service:service_manager find;
@@ -108,8 +107,14 @@
 # Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
 allow priv_app keystore:keystore_key gen_unique_id;
 
+# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
+allow priv_app selinuxfs:file r_file_perms;
+
 read_runtime_log_tags(priv_app)
 
+# suppress denials when safetynet scans /system
+dontaudit priv_app exec_type:file getattr;
+
 ###
 ### neverallow rules
 ###
commit	91d398d802b4fbd33c2b88da9f56ecee8bdc363c	[log] [tgz]
author	Dan Cashman <dcashman@google.com>	Tue Sep 26 12:58:29 2017 -0700
committer	Dan Cashman <dcashman@google.com>	Tue Sep 26 14:38:47 2017 -0700
tree	ae80a698d8f48b79a749eb9d0b1668402614c1d0
parent	6922dfe3661ca7c4043f6ef9c6c61fdb9c7fa89a [diff] [blame]