From abbd8aeefd7f1891dc1442d9c51dc481d99d9d16 Mon Sep 17 00:00:00 2001
From: Brian Lindahl <blindahl@google.com>
Date: Thu, 1 Jun 2023 12:36:55 -0600
Subject: [PATCH] Move allow rule out of the neverallow section

Resovles comment from aosp/2605806

Bug: 234833109
Test: build
Change-Id: I248613ed2d9a7f26d404df8552c2dfc74694754a
---
 public/domain.te | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 39cd5c20c..4ad73f18b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -334,6 +334,10 @@ with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;
 
+# Allow everyone to read media server-configurable flags, so that libstagefright can be
+# configured using server-configurable flags
+get_prop(domain, device_config_media_native_prop)
+
 ###
 ### neverallow rules
 ###
@@ -1286,7 +1290,3 @@ neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_f
 
 # Linux lockdown "integrity" level is enforced for user builds.
 neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
-
-# Allow everyone to read media server-configurable flags, so that libstagefright can be
-# configured using server-configurable flags
-get_prop(domain, device_config_media_native_prop)