Update neverallow exception. After offline discussions, we decided that this was the proper exception to the neverallow rule. Test: Built policy. Change-Id: Ic1603bfdd803151ccfb79f90195b83b616acc873

commit: b40eb255a7ce73c75253e17f7632078a32fe7196 [log] [tgz]
author: Joel Galenson <jgalenson@google.com> Wed Jan 03 13:18:53 2018 -0800
committer: Joel Galenson <jgalenson@google.com> Thu Jan 04 09:36:58 2018 -0800
tree: 4740b6383675b0fc0137f6de44fccb67ab2f353b
parent: 6168a12ea9194498649a3878d46e3671c518d60f [diff]
diff --git a/public/domain.te b/public/domain.te
index f9b6688..142c10b 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -1116,10 +1116,12 @@
 neverallow * same_process_hwservice:hwservice_manager add;
 
 # On TREBLE devices, most coredomains should not access vendor_files.
+# TODO(b/71553434): Remove exceptions here.
 full_treble_only(`
   neverallow {
     coredomain
-    -halclientdomain
+    -appdomain
+    -bootanim
     -init
     -ueventd
     -crash_dump
commit	b40eb255a7ce73c75253e17f7632078a32fe7196	[log] [tgz]
author	Joel Galenson <jgalenson@google.com>	Wed Jan 03 13:18:53 2018 -0800
committer	Joel Galenson <jgalenson@google.com>	Thu Jan 04 09:36:58 2018 -0800
tree	4740b6383675b0fc0137f6de44fccb67ab2f353b
parent	6168a12ea9194498649a3878d46e3671c518d60f [diff]