Remove unneeded sepolicy rules.

am: e33e2c0719

Change-Id: Ifaa067ad0c5ad8d2fccd9926cc8d11a8c7a2975e

2 files changed, 1 insertions, 14 deletions

diff --git a/shared/sepolicy/device.te b/shared/sepolicy/device.te
index 38f0a2f0f..c29c2bf32 100644
--- a/shared/sepolicy/device.te
+++ b/shared/sepolicy/device.te
@@ -5,3 +5,4 @@ type region_e2e_test_device, dev_type;
 type region_screen_device, dev_type;
 type socket_forward_device, dev_type;
 type virtual_serial_device, dev_type;
+typeattribute system_block_device super_block_device_type;
diff --git a/shared/sepolicy/recovery.te b/shared/sepolicy/recovery.te
index e55c18b0a..d72dc6428 100644
--- a/shared/sepolicy/recovery.te
+++ b/shared/sepolicy/recovery.te
@@ -1,17 +1,3 @@
 allow recovery gpu_device:chr_file rw_file_perms;
 
 allow recovery appdomain_tmpfs:file r_file_perms;
-
-allow recovery sysfs_dm:dir r_dir_perms;
-allow recovery sysfs_dm:file r_file_perms;
-
-# TODO: This should really be 'super_block_device', but we can't label
-#       vda both system_block_device and super_block_device..
-allowxperm recovery system_block_device:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
-
-# Copied from update_engine.te:
-# Note: fsetid checks are triggered when creating a file in a directory with
-# the setgid bit set to determine if the file should inherit setgid. In this
-# case, setgid on the file is undesirable so we should just suppress the
-# denial.
-dontaudit recovery self:global_capability_class_set fsetid;