Drop dontaudit sys_admin rule from rild. Old Android kernels (e.g. kernel/goldfish android-2.6.29 commit 2bda29) fell back to a CAP_SYS_ADMIN check even before checking uids if the cgroup subsystem did not define its own can_attach handler. This doesn't appear to have ever been the case of mainline, and is not true of the 3.4 Android kernels. So we no longer need to dontaudit sys_admin to avoid log noise. Change-Id: I2faade6665a4adad91472c95f94bd922a449b240 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 997d4a189f6aed9c8817bb42e791be6002813141 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Wed Apr 02 14:19:42 2014 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Wed Apr 02 14:19:42 2014 -0400
tree: 64254772a30f07175aad763ccb5dfc6612ca6bef
parent: 1cb990de6d90928f167779ca6ad7cb42d4022a11 [diff]
diff --git a/rild.te b/rild.te
index 424a61d..6d2cd38 100644
--- a/rild.te
+++ b/rild.te

@@ -24,7 +24,6 @@
 allow rild system_data_file:dir r_dir_perms;
 allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;
-dontaudit rild self:capability sys_admin;
 
 # property service
 allow rild rild_prop:property_service set;
commit	997d4a189f6aed9c8817bb42e791be6002813141	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Wed Apr 02 14:19:42 2014 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Wed Apr 02 14:19:42 2014 -0400
tree	64254772a30f07175aad763ccb5dfc6612ca6bef
parent	1cb990de6d90928f167779ca6ad7cb42d4022a11 [diff]