From c17d30a54219f1dd4b2e736a73cce6c14180a40a Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 20 Dec 2013 15:32:39 -0500
Subject: [PATCH] Delete dalvikcache_data_file write/setattr access from shell.

This showed up at some point in the past during our own
internal CTS testing but it seems wrong based on the DAC
permissions and a potential way to inject code into apps
from the shell.  Drop it for now and see if it shows up again.
This predates userdebug/eng vs user shell split so possibly
it only happens in the userdebug/eng case.

Change-Id: If8b1e7817f8efecbf68a0ba5fd06328a23a6c6db
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 shelldomain.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/shelldomain.te b/shelldomain.te
index 1394350bc..14a64ee86 100644
--- a/shelldomain.te
+++ b/shelldomain.te
@@ -22,7 +22,6 @@ allow shelldomain shell_exec:file rx_file_perms;
 allow shelldomain zygote_exec:file rx_file_perms;
 
 r_dir_file(shelldomain, apk_data_file)
-allow shelldomain dalvikcache_data_file:file { write setattr };
 
 # Set properties.
 unix_socket_connect(shelldomain, property, init)
-- 
GitLab