From 1af60916863d7ad82a93a58c1b3aa4613bea2ae9 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Wed, 10 Feb 2016 12:26:41 -0800
Subject: [PATCH] Remove appdomain sysfs auditallow.

Large numbers of denials have been collected.  Remove from logging until
further action is taken to address existing denials and remove sysfs
access from additional appdomains.

(cherry-pick from commit: 0b80f4dc8aa09817532138ff2d1fbdc98a34a4ac)

Change-Id: I11b9b159702fb2d50d4352f9cd8b68503d07222a
---
 app.te | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/app.te b/app.te
index 8bc138d63..b89d4e15c 100644
--- a/app.te
+++ b/app.te
@@ -229,10 +229,6 @@ allow appdomain runas_exec:file getattr;
 selinux_check_access(appdomain)
 selinux_check_context(appdomain)
 
-# appdomain should not be accessing information on /sys
-auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl };
-auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
-
 # Apps receive an open tun fd from the framework for
 # device traffic. Do not allow untrusted app to directly open tun_device
 allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
-- 
GitLab