From 2cc942052d03d9a58e338d990bb8a364bdfcace2 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 28 Aug 2015 08:49:49 -0700
Subject: [PATCH] install_recovery: drop toolbox auditallow

Toolbox is definitely used from install_recovery. Addresses
the following denials:

  type=1400 audit(0.0:7): avc: granted { execute } for comm="install-recover" name="toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  type=1400 audit(0.0:6): avc: granted { getattr } for comm="install-recover" path="/system/bin/toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  type=1400 audit(0.0:13): avc: granted { read } for comm="log" path="/system/bin/toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  type=1400 audit(0.0:9): avc: granted { read open } for comm="install-recover" path="/system/bin/toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file

Change-Id: I51d6e474f34afe1f33ea8294a344aa71e41deead
---
 install_recovery.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/install_recovery.te b/install_recovery.te
index cbc863425..aba2c51e9 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -13,9 +13,7 @@ allow install_recovery shell_exec:file rx_file_perms;
 # Execute /system/bin/applypatch
 allow install_recovery system_file:file rx_file_perms;
 
-# XXX Execute toolbox.  Might not be needed.
 allow install_recovery toolbox_exec:file rx_file_perms;
-auditallow install_recovery toolbox_exec:file rx_file_perms;
 
 # Update the recovery block device based off a diff of the boot block device
 allow install_recovery block_device:dir search;
-- 
GitLab