Merge "update isolated_app service_manager rules"

commit: ee66ba8c4062f6cd1ce481384d39d13e0281f8bc [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu Mar 05 23:12:43 2015 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Mar 05 23:12:44 2015 +0000
tree: af23b9043ad96ff05b96bb9ccb6f4bc7b52f891c
parent: b76966d65d4e59cbb20b5a78bc583a9907a495da [diff]
parent: 75f34dc392b6d13818565fddd6da0111a4edefe5 [diff]
diff --git a/recovery.te b/recovery.te
index 61c42b1..b0616ae 100644
--- a/recovery.te
+++ b/recovery.te

@@ -36,11 +36,9 @@
   # support to OTAs. However, that code has a bug. When an update occurs,
   # some directories are inappropriately labeled as exec_type. This is
   # only transient, and subsequent steps in the OTA script correct this
-  # mistake.
-  # Allow this behavior for now until we can fix the underlying bug.
-  # b/15575013
+  # mistake. New devices are moving to block based OTAs, so this is not
+  # worth fixing. b/15575013
   allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
-  auditallow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
 
   # Write to /proc/sys/vm/drop_caches
   # TODO: create more specific label?

diff --git a/system_server.te b/system_server.te
index 191c446..41036b6 100644
--- a/system_server.te
+++ b/system_server.te

@@ -49,7 +49,6 @@
     net_broadcast
     net_raw
     sys_boot
-    sys_module
     sys_nice
     sys_resource
     sys_time
commit	ee66ba8c4062f6cd1ce481384d39d13e0281f8bc	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Mar 05 23:12:43 2015 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Mar 05 23:12:44 2015 +0000
tree	af23b9043ad96ff05b96bb9ccb6f4bc7b52f891c
parent	b76966d65d4e59cbb20b5a78bc583a9907a495da [diff]
parent	75f34dc392b6d13818565fddd6da0111a4edefe5 [diff]