Merge "domain: relax execmod restrictions"
diff --git a/domain.te b/domain.te
index 3a84659..5a3d3c9 100644
--- a/domain.te
+++ b/domain.te
@@ -390,10 +390,13 @@
# which, long term, need to go away.
neverallow domain {
file_type
+ -system_file # needs to die. b/20013628
-system_data_file
-apk_data_file
-app_data_file
-asec_public_file
}:file execmod;
-neverallow { domain -appdomain } file_type:file execmod;
+# TODO: prohibit non-zygote spawned processes from using shared libraries
+# with text relocations. b/20013628 .
+# neverallow { domain -appdomain } file_type:file execmod;