sepolicy: Update the sepolicy for RFS and RMTS

Update the sepolicy for RFS and RMTS to include all new
permissions required and add the tftp_server to the RFS
domain.

Change-Id: I1dc0c062ef21cf9eca1f365291ec7ff5733c7c8e

1 files changed, 12 insertions, 10 deletions

diff --git a/common/rmt_storage.te b/common/rmt_storage.te
index 04a96ef1..19aea1d0 100644
--- a/common/rmt_storage.te
+++ b/common/rmt_storage.te
@@ -3,14 +3,16 @@ type rmt_storage, domain;
 type rmt_storage_exec, exec_type, file_type;
 init_daemon_domain(rmt_storage)
 
-allow rmt_storage modem_efs_partition_device:blk_file { read write open };
-allow rmt_storage block_device:dir search;
-allow rmt_storage cgroup:dir { create add_name };
-allow rmt_storage smem_log_device:chr_file { read write ioctl open };
-allow rmt_storage self:capability { setuid setgid sys_admin dac_override };
+allow rmt_storage modem_efs_partition_device:blk_file rw_file_perms;
+allow rmt_storage block_device:dir r_dir_perms;
+allow rmt_storage cgroup:dir create_dir_perms;
+allow rmt_storage smem_log_device:chr_file rw_file_perms;
+
+# sys_admin is needed for ioprio_set
+allow rmt_storage self:capability { setuid setgid sys_admin dac_override net_raw setpcap };
+
 allow rmt_storage self:capability2 block_suspend;
-allow rmt_storage self:socket { create_socket_perms };
-allow rmt_storage sysfs_wake_lock:file { open write append };
-allow rmt_storage uio_device:chr_file { read write open };
-allow rmt_storage mmc_block_device:blk_file r_file_perms;
-allow rmt_storage self:capability { net_raw setpcap };
+allow rmt_storage self:socket create_socket_perms;
+allow rmt_storage sysfs_wake_lock:file w_file_perms;
+allow rmt_storage uio_device:chr_file rw_file_perms;
+allow rmt_storage mmc_block_device:blk_file r_file_perms;
\ No newline at end of file