Drop unused rules for raw I/O, mknod, and block device access. We added these rules to the kernel domain when we removed them from unconfined to ensure that we did not break anything. But we have seen no uses of these rules and this matches our expectation that any actual operations that require these permissions occurs after switching to the init domain. Change-Id: I6f3556a26b0f6f4e6effcb874bfc9498e7dfaa47 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: cdae7debe68bf20521085237b80da9417328841b [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Wed May 14 09:31:06 2014 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Wed May 14 09:31:06 2014 -0400
tree: eab2671dbc7cb4ddd371a0e89ef58c8370340e5a
parent: f78fb4e0c8ae49bb73e691a37de00f2d5b66f9e1 [diff]
diff --git a/kernel.te b/kernel.te
index c40d08b..0048a62 100644
--- a/kernel.te
+++ b/kernel.te

@@ -17,10 +17,3 @@
 
 # Set checkreqprot by init.rc prior to switching to init domain.
 allow kernel self:security setcheckreqprot;
-
-# For operations performed by kernel or init prior to switching to init domain.
-## TODO: Investigate whether it is safe to remove these
-allow kernel self:capability { sys_rawio mknod };
-auditallow kernel self:capability { sys_rawio mknod };
-allow kernel dev_type:blk_file rw_file_perms;
-auditallow kernel dev_type:blk_file rw_file_perms;
commit	cdae7debe68bf20521085237b80da9417328841b	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Wed May 14 09:31:06 2014 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Wed May 14 09:31:06 2014 -0400
tree	eab2671dbc7cb4ddd371a0e89ef58c8370340e5a
parent	f78fb4e0c8ae49bb73e691a37de00f2d5b66f9e1 [diff]