From e78fa1bf374edcc6af41a45721f483176903a55c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 5 Dec 2016 17:29:25 +0000
Subject: [PATCH] Revert "ueventd.te: auditallow device:chr_file"

Broke the dragon build:

libsepol.report_failure: neverallow on line 304 of system/sepolicy/public/domain.te (or line 8638 of policy.conf) violated by allow kernel device:chr_file { create setattr };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy

This reverts commit ed0b4eb366d029d73918c573f5729967f31a7f93.

Change-Id: I5d55ab59ed72ce7c19a10ddbb374f9f3b3fae4fd
---
 public/domain.te  | 5 ++---
 public/ueventd.te | 5 -----
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index c010d7923..30dbd7e73 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -299,9 +299,8 @@ neverallow { domain -kernel -init -recovery } block_device:blk_file { open read
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 # init is exempt from this as there are character devices that only it uses.
-# uevent historically was granted access, but this does not appear used.
-# Tightening candidate?
-neverallow { domain -init -ueventd } device:chr_file no_rw_file_perms;
+# ueventd is exempt from this, as it is managing these devices.
+neverallow { domain -init -ueventd } device:chr_file { open read write };
 
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
diff --git a/public/ueventd.te b/public/ueventd.te
index ce1cb37f1..3f1dcd473 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -7,12 +7,7 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
 
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
-
-# Read/write generically labeled /dev character device files.
-# TODO: this rule appears unnecessary. Delete?
 allow ueventd device:chr_file rw_file_perms;
-auditallow ueventd device:chr_file { read lock write ioctl open append };
-
 r_dir_file(ueventd, sysfs_type)
 r_dir_file(ueventd, rootfs)
 allow ueventd sysfs:file w_file_perms;
-- 
GitLab