Remove known system_server service accesses from auditing.

Address observed  audit logs of the form:
granted  { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager

in order to record existing relationships with services.

Bug: 18106000
Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4

1 files changed, 17 insertions, 0 deletions

diff --git a/system_app.te b/system_app.te
index a445e57..12a5195 100644
--- a/system_app.te
+++ b/system_app.te
@@ -57,6 +57,23 @@ allow system_app system_app_service:service_manager add;
 allow system_app system_server_service:service_manager find;
 allow system_app tmp_system_server_service:service_manager find;
 
+# address tmp_system_server_service accesses
+allow system_app {
+    activity_service
+    connectivity_service
+    display_service
+    dropbox_service
+}:service_manager find;
+
+service_manager_local_audit_domain(system_app)
+auditallow system_app {
+    tmp_system_server_service
+    -activity_service
+    -connectivity_service
+    -display_service
+    -dropbox_service
+}:service_manager find;
+
 allow system_app keystore:keystore_key {
 	test
 	get