Merge "Only auditallow unlabeled accesses not allowed elsewhere."
diff --git a/domain.te b/domain.te
index e277972..5464d86 100644
--- a/domain.te
+++ b/domain.te
@@ -150,11 +150,18 @@
#
allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
allow domain unlabeled:dir { create_dir_perms relabelfrom };
-auditallow { domain -init -installd } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-auditallow { domain -init -kernel -installd } unlabeled:dir { create_dir_perms relabelfrom };
+auditallow { domain -init -installd -vold -system_server } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+auditallow { domain -init -kernel -installd -vold -system_server } unlabeled:dir { create_dir_perms relabelfrom };
auditallow kernel unlabeled:dir ~search;
-auditallow installd unlabeled:dir ~{ getattr search relabelfrom };
-auditallow installd unlabeled:notdevfile_class_set ~{ getattr relabelfrom };
+auditallow installd unlabeled:dir ~{ getattr search relabelfrom rw_dir_perms rmdir };
+auditallow installd unlabeled:file ~{ r_file_perms getattr relabelfrom rename unlink setattr };
+auditallow installd unlabeled:{ lnk_file sock_file fifo_file } ~{ getattr relabelfrom rename unlink setattr };
+auditallow vold unlabeled:dir ~{ r_dir_perms setattr relabelfrom };
+auditallow vold unlabeled:file ~{ r_file_perms setattr relabelfrom };
+auditallow vold unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
+auditallow system_server unlabeled:dir ~r_dir_perms;
+auditallow system_server unlabeled:file ~r_file_perms;
+auditallow system_server unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
###
### neverallow rules