priv_app.te: refine cache_recovery_file auditallow rules
priv_app reads from /cache/recovery, but I'm still not sure if
it writes. Eliminate the read auditallow rules and allow the
writes to show up (if any).
Eliminates the following auditallow messages:
avc: granted { search } for comm="IntentService[S" name="recovery" dev="mmcblk0p38" ino=12 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
avc: granted { getattr } for comm="Thread-1" path="/cache/recovery/last_install" dev="mmcblk0p27" ino=29891 scontext=u:r:priv_app:s0:c525,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=file
avc: granted { read open } for comm="Thread-1" name="recovery" dev="mmcblk0p27" ino=29889 scontext=u:r:priv_app:s0:c525,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
Change-Id: Ibc0640f5366aae50e3fd09d17657374390b24a5c
diff --git a/priv_app.te b/priv_app.te
index 7099044..bd98ab7 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -36,8 +36,8 @@
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
-auditallow priv_app cache_recovery_file:dir create_dir_perms;
-auditallow priv_app cache_recovery_file:file create_file_perms;
+auditallow priv_app cache_recovery_file:dir no_w_dir_perms;
+auditallow priv_app cache_recovery_file:file no_w_file_perms;
# Access to /data/media.
allow priv_app media_rw_data_file:dir create_dir_perms;