From 2cba1ee10da9afae86249bd2f227cd7470bf3f1a Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 16 Mar 2015 09:33:03 -0400
Subject: [PATCH] Remove ability to read all /proc/pid/attr/current entries.

This was rendered obsolete when SELinuxDomainTest was ported
to SELinuxHostTest and only makes sense if allowing search
to domain:dir and { open read } to domain:file in order to
open the /proc/pid/attr/current files in the first place.
SELinux applies a further :process getattr check when
reading any of the /proc/pid/attr/* files for any process
other than self, which is no longer needed by app domains to
pass CTS.

Change-Id: Iff1e601e1268d4d77f64788d733789a2d2cd18cc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/app.te b/app.te
index bed6aff86..27ec14b34 100644
--- a/app.te
+++ b/app.te
@@ -178,8 +178,6 @@ allow appdomain runas_exec:file getattr;
 # Check SELinux policy and contexts.
 selinux_check_access(appdomain)
 selinux_check_context(appdomain)
-# Validate that each process is running in the correct security context.
-allow appdomain domain:process getattr;
 
 ###
 ### Neverallow rules