From 309cc668f9da5a3e4df7ecd44f3618864e4cf7eb Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Tue, 9 Sep 2014 11:38:42 -0700
Subject: [PATCH] Enable selinux read_policy for adb pull.

Remove permission from appdomain.

Bug: 16866291

Change-Id: I37936fed33c337e1ab2816258c2aff52700af116
---
 adbd.te | 2 ++
 app.te  | 2 --
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/adbd.te b/adbd.te
index 58fdead..b0f5895 100644
--- a/adbd.te
+++ b/adbd.te
@@ -68,3 +68,5 @@ allow adbd appdomain:unix_stream_socket connectto;
 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
 allow adbd zygote_exec:file r_file_perms;
 allow adbd system_file:file r_file_perms;
+
+allow adbd kernel:security read_policy;
diff --git a/app.te b/app.te
index 6c38f10..615b39e 100644
--- a/app.te
+++ b/app.te
@@ -170,8 +170,6 @@ allow appdomain runas_exec:file getattr;
 # Check SELinux policy and contexts.
 selinux_check_access(appdomain)
 selinux_check_context(appdomain)
-# Enable reading of current selinux policy file
-allow appdomain kernel:security read_policy;
 # Validate that each process is running in the correct security context.
 allow appdomain domain:process getattr;