Both angler and bullhead violate these SELinux rules.
Bullhead: tee has access to these files
Angler: system_server has read/write access to these files.
Fixes the following compile time error:
libsepol.report_failure: neverallow on line 32 of external/sepolicy/fingerprintd.te (or line 6704 of policy.conf) violated by allow tee fingerprintd_data_file:file { ioctl read write create setattr lock append rename open };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/bullhead/obj/ETC/sepolicy_intermediates/policy.conf
This reverts commit 604a8cae62.
Change-Id: Iabb8f2e9de96f9082cd6a790d1af80cbc6a569b1
Only fingerprintd should be creating/reading/writing/etc from
/data/system/users/[0-9]+/fpdata(/.*)? . Add a neverallow rule
(compile time assertion + CTS test) to ensure no regressions.
Change-Id: I30261a4bd880f5c4f3d90d1686a6267f60bdd413
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
