From 997d4a189f6aed9c8817bb42e791be6002813141 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 2 Apr 2014 14:19:42 -0400
Subject: [PATCH] Drop dontaudit sys_admin rule from rild.

Old Android kernels (e.g. kernel/goldfish android-2.6.29 commit 2bda29)
fell back to a CAP_SYS_ADMIN check even before checking uids if the cgroup
subsystem did not define its own can_attach handler.  This doesn't appear
to have ever been the case of mainline, and is not true of the 3.4 Android
kernels.  So we no longer need to dontaudit sys_admin to avoid log noise.

Change-Id: I2faade6665a4adad91472c95f94bd922a449b240
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 rild.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rild.te b/rild.te
index 424a61d7f..6d2cd3884 100644
--- a/rild.te
+++ b/rild.te
@@ -24,7 +24,6 @@ allow rild sdcard_type:dir r_dir_perms;
 allow rild system_data_file:dir r_dir_perms;
 allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;
-dontaudit rild self:capability sys_admin;
 
 # property service
 allow rild rild_prop:property_service set;
-- 
GitLab