Give domains read access to security_file domain.

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

debuggerd.te

@@ -9,7 +9,7 @@ allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:process ptrace;
-allow debuggerd rootfs:file r_file_perms;
+security_access_policy(debuggerd)
 allow debuggerd system_data_file:dir create_dir_perms;
 allow debuggerd system_data_file:dir relabelfrom;
 allow debuggerd tombstone_data_file:dir relabelto;

installd.te

@@ -18,8 +18,8 @@ allow installd cgroup:dir create_dir_perms;
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
-# Read /seapp_contexts, presently on the rootfs.
-allow installd rootfs:file r_file_perms;
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(installd)
 # ASEC
 allow installd platform_app_data_file:lnk_file { create setattr };
 allow installd app_data_file:lnk_file { create setattr };

runas.te

@@ -34,7 +34,8 @@ allow runas app_data_file:dir { getattr search };
 allow runas self:capability { setuid setgid };
 
 # run-as switches to the app security context.
-allow runas rootfs:file r_file_perms; # read /seapp_contexts
+# read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(runas)
 selinux_check_context(runas) # validate context
 allow runas untrusted_app:process dyntransition; # setcon
 

system.te

@@ -147,8 +147,8 @@ allow system tun_device:chr_file rw_file_perms;
 allow system data_file_type:dir create_dir_perms;
 allow system data_file_type:notdevfile_class_set create_file_perms;
 
-# Read /file_contexts.
-allow system rootfs:file r_file_perms;
+# Read /file_contexts and /data/security/file_contexts
+security_access_policy(system)
 
 # Relabel apk files.
 allow system { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };

te_macros

@@ -236,8 +236,6 @@ allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file r_file_perms;
 allow $1 rootfs:dir r_dir_perms;
 allow $1 rootfs:file r_file_perms;
-allow $1 system_file:dir r_dir_perms;
-allow $1 system_file:file r_file_perms;
 ')
 
 #####################################
@@ -285,4 +283,4 @@ allow $1 system_file:file x_file_perms;
 # man 2 klogctl
 define(`access_kmsg', `
 allow $1 kernel:system syslog_read;
-')
+')
\ No newline at end of file

ueventd.te

@@ -2,7 +2,7 @@
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
 tmpfs_domain(ueventd)
-allow ueventd rootfs:file r_file_perms;
+security_access_policy(ueventd)
 allow ueventd rootfs:file entrypoint;
 allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };

vold.te

@@ -60,6 +60,6 @@ allow vold vold_prop:property_service set;
 # ASEC
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;
-allow vold rootfs:file r_file_perms;
+security_access_policy(vold)
 allow vold asec_apk_file:dir { rw_dir_perms setattr };
 allow vold asec_apk_file:file { r_file_perms setattr };

zygote.te

@@ -28,8 +28,8 @@ allow zygote self:capability sys_admin;
 selinux_check_context(zygote)
 # Check SELinux permissions.
 selinux_check_access(zygote)
-# Read /seapp_contexts, presently on the rootfs.
-allow zygote rootfs:file r_file_perms;
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(zygote)
 
 # Setting up /storage/emulated.
 allow zygote rootfs:dir mounton;