From b67b732a0cc9c98ea6a0bf0c838af0c3b2106900 Mon Sep 17 00:00:00 2001
From: Pavel Kirpichyov <pavel.kirpichyov@gmail.com>
Date: Mon, 18 Nov 2013 20:57:45 +0400
Subject: [PATCH] Make SELinux policies more 4.4 compatible

Change-Id: I8494f924f1d979fe88eae60ffc118cf34a90184c
---
 BoardCommonConfig.mk  | 5 ++++-
 selinux/device.te     | 1 -
 selinux/domain.te     | 3 ---
 selinux/drmserver.te  | 1 +
 selinux/file_contexts | 6 +++---
 selinux/ueventd.te    | 2 ++
 selinux/vold.te       | 1 +
 7 files changed, 11 insertions(+), 8 deletions(-)
 create mode 100644 selinux/drmserver.te
 create mode 100644 selinux/ueventd.te
 create mode 100644 selinux/vold.te

diff --git a/BoardCommonConfig.mk b/BoardCommonConfig.mk
index 64869ae..8b3c344 100644
--- a/BoardCommonConfig.mk
+++ b/BoardCommonConfig.mk
@@ -142,10 +142,13 @@ BOARD_SEPOLICY_DIRS += \
 
 BOARD_SEPOLICY_UNION += \
     device.te \
+    drmserver.te \
+    ueventd.te \
     domain.te \
     file.te \
     file_contexts \
-    rild.te
+    rild.te \
+    vold.te
 
 # Recovery
 BOARD_CUSTOM_RECOVERY_KEYMAPPING := ../../device/samsung/galaxys2-common/recovery/recovery_keys.c
diff --git a/selinux/device.te b/selinux/device.te
index cca8ee1..6de8078 100644
--- a/selinux/device.te
+++ b/selinux/device.te
@@ -1,3 +1,2 @@
-type mali_device, dev_type, mlstrustedobject;
 type rfkill_device, dev_type;
 type efs_block_device, dev_type;
diff --git a/selinux/domain.te b/selinux/domain.te
index 24e0951..ed8e129 100644
--- a/selinux/domain.te
+++ b/selinux/domain.te
@@ -1,6 +1,3 @@
-## /dev/mali, /dev/ump
-allow domain mali_device:chr_file rw_file_perms;
-
 ## /dev/rfkill for wpa_supp
 allow wpa rfkill_device:chr_file rw_file_perms;
 
diff --git a/selinux/drmserver.te b/selinux/drmserver.te
new file mode 100644
index 0000000..a456bbf
--- /dev/null
+++ b/selinux/drmserver.te
@@ -0,0 +1 @@
+allow drmserver sdcard_external:file open;
diff --git a/selinux/file_contexts b/selinux/file_contexts
index 3b9f7bc..3dc49e7 100644
--- a/selinux/file_contexts
+++ b/selinux/file_contexts
@@ -1,7 +1,7 @@
 # GFX
-/dev/mali                               u:object_r:mali_device:s0
-/dev/ump                                u:object_r:mali_device:s0
-/dev/fimg2d                             u:object_r:mali_device:s0
+/dev/mali                               u:object_r:graphics_device:s0
+/dev/ump                                u:object_r:graphics_device:s0
+/dev/fimg2d                             u:object_r:graphics_device:s0
 
 # RIL
 /dev/umts_boot0                         u:object_r:radio_device:s0
diff --git a/selinux/ueventd.te b/selinux/ueventd.te
new file mode 100644
index 0000000..95a5698
--- /dev/null
+++ b/selinux/ueventd.te
@@ -0,0 +1,2 @@
+allow ueventd sdcard_external:dir search;
+allow ueventd sdcard_external:file r_file_perms;
diff --git a/selinux/vold.te b/selinux/vold.te
new file mode 100644
index 0000000..d179865
--- /dev/null
+++ b/selinux/vold.te
@@ -0,0 +1 @@
+allow vold sdcard_external:file rw_file_perms;