Drop dontaudit sys_admin rule from installd. Old Android kernels (e.g. kernel/goldfish android-2.6.29 commit 2bda29) fell back to a CAP_SYS_ADMIN check even before checking uids if the cgroup subsystem did not define its own can_attach handler. This doesn't appear to have ever been the case of mainline, and is not true of the 3.4 Android kernels. So we no longer need to dontaudit sys_admin to avoid log noise. Change-Id: I3822600a06c242764a94f9b67d9fcd6f599d3453 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 016e636539093b00787183cbf56b684b91f94220 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Wed Apr 02 14:05:46 2014 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Wed Apr 02 14:05:46 2014 -0400
tree: 8e5467103a3b123bc4cbab7c76315cb7461a4aa6
parent: 1cb990de6d90928f167779ca6ad7cb42d4022a11 [diff]
diff --git a/installd.te b/installd.te
index abf0b16..3f5e9a1 100644
--- a/installd.te
+++ b/installd.te

@@ -16,7 +16,6 @@
 allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
-dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
 # Read /seapp_contexts and /data/security/seapp_contexts
commit	016e636539093b00787183cbf56b684b91f94220	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Wed Apr 02 14:05:46 2014 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Wed Apr 02 14:05:46 2014 -0400
tree	8e5467103a3b123bc4cbab7c76315cb7461a4aa6
parent	1cb990de6d90928f167779ca6ad7cb42d4022a11 [diff]