Delete external/sepolicy files.HEADmastermain

These files have been moved to system/sepolicy.

Bug: 27875478
Change-Id: I057784af0e9f6e43cd9a22ffce26fd63acccf98b

138 files changed, 1 insertions, 13256 deletions

diff --git a/Android.mk b/Android.mk
deleted file mode 100644
index a382734..0000000
--- a/Android.mk
+++ /dev/null
@@ -1,503 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(CLEAR_VARS)
-
-# SELinux policy version.
-# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
-# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 29
-
-MLS_SENS=1
-MLS_CATS=1024
-
-ifdef BOARD_SEPOLICY_REPLACE
-$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
-ifdef BOARD_SEPOLICY_IGNORE
-$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
-ifdef BOARD_SEPOLICY_UNION
-$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
-ifdef BOARD_SEPOLICY_M4DEFS
-LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
-endif
-
-# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS and the LOCAL_PATH.
-# $(1): the set of policy name paths to build
-build_policy = $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS)), $(sort $(wildcard $(file)))))
-
-# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
-# $(1): the set of policy name paths to build
-build_device_policy = $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS)), $(sort $(wildcard $(file)))))
-
-# Add a file containing only a newline in-between each policy configuration
-# 'contexts' file. This will allow OEM policy configuration files without a
-# final newline (0x0A) to be built correctly by the m4(1) macro processor.
-# $(1): the set of contexts file names.
-# $(2): the file containing only 0x0A.
-add_nl = $(foreach entry, $(1), $(subst $(entry), $(entry) $(2), $(entry)))
-
-sepolicy_build_files := security_classes \
-                        initial_sids \
-                        access_vectors \
-                        global_macros \
-                        neverallow_macros \
-                        mls_macros \
-                        mls \
-                        policy_capabilities \
-                        te_macros \
-                        attributes \
-                        ioctl_macros \
-                        *.te \
-                        roles \
-                        users \
-                        initial_sid_contexts \
-                        fs_use \
-                        genfs_contexts \
-                        port_contexts
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sectxfile_nl
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-# Create a file containing newline only to add between context config files
-include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE):
-	@mkdir -p $(dir $@)
-	$(hide) echo > $@
-
-built_nl := $(LOCAL_BUILT_MODULE)
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-sepolicy_policy.conf := $(intermediates)/policy.conf
-$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files))
-	@mkdir -p $(dir $@)
-	$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-		-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-		-s $^ > $@
-	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $< > /dev/null
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit > /dev/null
-	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
-	$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
-		echo "==========" 1>&2; \
-		echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
-		echo "List of invalid domains:" 1>&2; \
-		cat $@.permissivedomains 1>&2; \
-		exit 1; \
-		fi
-	$(hide) mv $@.tmp $@
-
-built_sepolicy := $(LOCAL_BUILT_MODULE)
-sepolicy_policy.conf :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy.recovery
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := eng
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf
-$(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy_recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files))
-	@mkdir -p $(dir $@)
-	$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-		-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-		-D target_recovery=true \
-		-s $^ > $@
-
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $< > /dev/null
-	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
-	$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
-		echo "==========" 1>&2; \
-		echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
-		echo "List of invalid domains:" 1>&2; \
-		cat $@.permissivedomains 1>&2; \
-		exit 1; \
-		fi
-	$(hide) mv $@.tmp $@
-
-built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
-sepolicy_policy_recovery.conf :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := general_sepolicy.conf
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-exp_sepolicy_build_files :=\
-  $(foreach file, $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files)), $(sort $(wildcard $(file))))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
-	mkdir -p $(dir $@)
-	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-		-D target_build_variant=user \
-		-s $^ > $@
-	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-built_general_sepolicy.conf := $(LOCAL_BUILT_MODULE)
-exp_sepolicy_build_files :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy.general
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf)
-$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null
-
-built_general_sepolicy := $(LOCAL_BUILT_MODULE)
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := file_contexts.bin
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# The file_contexts.bin is built in the following way:
-# 1. Collect all file_contexts files in THIS repository and process them with
-#    m4 into a tmp file called file_contexts.local.tmp.
-# 2. Collect all device specific file_contexts files and process them with m4
-#    into a tmp file called file_contexts.device.tmp.
-# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
-#    file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-# 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into
-#    file_contexts.concat.tmp.
-# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
-#    file_contexts.bin.
-#
-#  Note: That a newline file is placed between each file_context file found to
-#        ensure a proper build when an fc file is missing an ending newline.
-
-local_fc_files := $(LOCAL_PATH)/file_contexts
-ifneq ($(filter address,$(SANITIZE_TARGET)),)
-  local_fc_files := $(local_fc_files) $(LOCAL_PATH)/file_contexts_asan
-endif
-local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
-
-file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
-$(file_contexts.local.tmp): $(local_fcfiles_with_nl)
-	@mkdir -p $(dir $@)
-	$(hide) m4 -s $^ > $@
-
-device_fc_files := $(call build_device_policy, file_contexts)
-device_fcfiles_with_nl := $(call add_nl, $(device_fc_files), $(built_nl))
-
-file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
-$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(file_contexts.device.tmp): $(device_fcfiles_with_nl)
-	@mkdir -p $(dir $@)
-	$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-
-file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
-$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
-	$(hide) $(HOST_OUT_EXECUTABLES)/fc_sort $< $@
-
-file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
-$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp)
-	@mkdir -p $(dir $@)
-	$(hide) m4 -s $^ > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
-	$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
-
-built_fc := $(LOCAL_BUILT_MODULE)
-local_fc_files :=
-local_fcfiles_with_nl :=
-device_fc_files :=
-device_fcfiles_with_nl :=
-file_contexts.concat.tmp :=
-file_contexts.device.sorted.tmp :=
-file_contexts.device.tmp :=
-file_contexts.local.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := general_file_contexts.bin
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-general_file_contexts.tmp := $(intermediates)/general_file_contexts.tmp
-$(general_file_contexts.tmp): $(addprefix $(LOCAL_PATH)/, file_contexts)
-	@mkdir -p $(dir $@)
-	$(hide) m4 -s $< > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
-$(LOCAL_BUILT_MODULE): $(general_file_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
-	$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
-
-general_file_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := seapp_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_sc_files := $(call build_policy, seapp_contexts)
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(all_sc_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(all_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
-
-built_sc := $(LOCAL_BUILT_MODULE)
-all_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := general_seapp_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_sc_files := $(addprefix $(LOCAL_PATH)/, seapp_contexts)
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILE := $(all_sc_files)
-$(LOCAL_BUILT_MODULE): $(built_general_sepolicy) $(all_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILE)
-
-all_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := general_seapp_neverallows
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(addprefix $(LOCAL_PATH)/, seapp_contexts)
-	@mkdir -p $(dir $@)
-	- $(hide) grep -ie '^neverallow' $< > $@
-
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := property_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_pc_files := $(call build_policy, property_contexts)
-all_pcfiles_with_nl := $(call add_nl, $(all_pc_files), $(built_nl))
-
-property_contexts.tmp := $(intermediates)/property_contexts.tmp
-$(property_contexts.tmp): PRIVATE_PC_FILES := $(all_pcfiles_with_nl)
-$(property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(property_contexts.tmp): $(all_pcfiles_with_nl)
-	@mkdir -p $(dir $@)
-	$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
-
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
-	@mkdir -p $(dir $@)
-	$(hide) $(ACP) $< $@
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $<
-
-built_pc := $(LOCAL_BUILT_MODULE)
-all_pc_files :=
-all_pcfiles_with_nl :=
-property_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := general_property_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-general_property_contexts.tmp := $(intermediates)/general_property_contexts.tmp
-$(general_property_contexts.tmp): $(addprefix $(LOCAL_PATH)/, property_contexts)
-	@mkdir -p $(dir $@)
-	$(hide) m4 -s $< > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
-$(LOCAL_BUILT_MODULE): $(general_property_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
-	@mkdir -p $(dir $@)
-	$(hide) $(ACP) $< $@
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $<
-
-general_property_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := service_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_svc_files := $(call build_policy, service_contexts)
-all_svcfiles_with_nl := $(call add_nl, $(all_svc_files), $(built_nl))
-
-service_contexts.tmp := $(intermediates)/service_contexts.tmp
-$(service_contexts.tmp): PRIVATE_SVC_FILES := $(all_svcfiles_with_nl)
-$(service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(service_contexts.tmp): $(all_svcfiles_with_nl)
-	@mkdir -p $(dir $@)
-	$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $<
-	$(hide) $(ACP) $< $@
-
-built_svc := $(LOCAL_BUILT_MODULE)
-all_svc_files :=
-all_svcfiles_with_nl :=
-service_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := general_service_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-general_service_contexts.tmp := $(intermediates)/general_service_contexts.tmp
-$(general_service_contexts.tmp): $(addprefix $(LOCAL_PATH)/, service_contexts)
-	@mkdir -p $(dir $@)
-	$(hide) m4 -s $< > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
-$(LOCAL_BUILT_MODULE): $(general_service_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $<
-	$(hide) $(ACP) $< $@
-
-general_service_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := mac_permissions.xml
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Build keys.conf
-mac_perms_keys.tmp := $(intermediates)/keys.tmp
-$(mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(mac_perms_keys.tmp): $(call build_policy, keys.conf)
-	@mkdir -p $(dir $@)
-	$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-
-all_mac_perms_files := $(call build_policy, $(LOCAL_MODULE))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(all_mac_perms_files)
-	@mkdir -p $(dir $@)
-	$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
-		$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-mac_perms_keys.tmp :=
-all_mac_perms_files :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_version
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
-	@mkdir -p $(dir $@)
-	$(hide) echo -n $(BUILD_FINGERPRINT_FROM_FILE) > $@
-
-##################################
-
-build_policy :=
-build_device_policy :=
-sepolicy_build_files :=
-built_sepolicy :=
-built_sepolicy_recovery :=
-built_sc :=
-built_fc :=
-built_pc :=
-built_svc :=
-built_general_sepolicy :=
-built_general_sepolicy.conf :=
-built_nl :=
-add_nl :=
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/CleanSpec.mk b/CleanSpec.mk
deleted file mode 100644
index f141e34..0000000
--- a/CleanSpec.mk
+++ /dev/null
@@ -1,52 +0,0 @@
-# Copyright (C) 2015 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# If you don't need to do a full clean build but would like to touch
-# a file or delete some intermediate files, add a clean step to the end
-# of the list.  These steps will only be run once, if they haven't been
-# run before.
-#
-# E.g.:
-#     $(call add-clean-step, touch -c external/sqlite/sqlite3.h)
-#     $(call add-clean-step, rm -rf $(PRODUCT_OUT)/obj/STATIC_LIBRARIES/libz_intermediates)
-#
-# Always use "touch -c" and "rm -f" or "rm -rf" to gracefully deal with
-# files that are missing or have been moved.
-#
-# Use $(PRODUCT_OUT) to get to the "out/target/product/blah/" directory.
-# Use $(OUT_DIR) to refer to the "out" directory.
-#
-# If you need to re-do something that's already mentioned, just copy
-# the command and add it to the bottom of the list.  E.g., if a change
-# that you made last week required touching a file and a change you
-# made today requires touching the same file, just copy the old
-# touch step and add it to the end of the list.
-#
-# ************************************************
-# NEWER CLEAN STEPS MUST BE AT THE END OF THE LIST
-# ************************************************
-
-# For example:
-#$(call add-clean-step, rm -rf $(OUT_DIR)/target/common/obj/APPS/AndroidTests_intermediates)
-#$(call add-clean-step, rm -rf $(OUT_DIR)/target/common/obj/JAVA_LIBRARIES/core_intermediates)
-#$(call add-clean-step, find $(OUT_DIR) -type f -name "IGTalkSession*" -print0 | xargs -0 rm -f)
-#$(call add-clean-step, rm -rf $(PRODUCT_OUT)/data/*)
-
-# ************************************************
-# NEWER CLEAN STEPS MUST BE AT THE END OF THE LIST
-# ************************************************
-
-$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/file_contexts)
-$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/file_contexts)
diff --git a/README b/README
index a3c75b8..fae4943 100644
--- a/README
+++ b/README
@@ -1,103 +1 @@
-This directory contains the core Android SELinux policy configuration.
-It defines the domains and types for the AOSP services and apps common to
-all devices.  Device-specific policy should be placed under a
-separate device/<vendor>/<board>/sepolicy subdirectory and linked
-into the policy build as described below.
-
-Policy Generation:
-
-Additional, per device, policy files can be added into the
-policy build. These files should have each line including the
-final line terminated by a newline character (0x0A).  This
-will allow files to be concatenated and processed whenever
-the m4(1) macro processor is called by the build process.
-Adding the newline will also make the intermediate text files
-easier to read when debugging build failures.  The sets of file,
-service and property contexts files will automatically have a
-newline inserted between each file as these are common failure
-points.
-
-These device policy files can be configured through the use of
-the BOARD_SEPOLICY_DIRS variable. This variable should be set
-in the BoardConfig.mk file in the device or vendor directories.
-
-BOARD_SEPOLICY_DIRS contains a list of directories to search
-for additional policy files. Order matters in this list.
-For example, if you have 2 instances of widget.te files in the
-BOARD_SEPOLICY_DIRS search path, then the first one found (at the
-first search dir containing the file) will be concatenated first.
-Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
-will help sort out ordering issues.
-
-Example BoardConfig.mk Usage:
-From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
-
-BOARD_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
-
-Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4
-definitions during the build. A definition consists of a string in the form
-of macro-name=value. Spaces must NOT be present. This is useful for building modular
-policies, policy generation, conditional file paths, etc. It is supported in
-the following file types:
- * All *.te and SE Linux policy files as passed to checkpolicy
- * file_contexts
- * service_contexts
- * property_contexts
- * keys.conf
-
-Example BoardConfig.mk Usage:
-BOARD_SEPOLICY_M4DEFS += btmodule=foomatic \
-                         btdevice=/dev/gps
-
-SPECIFIC POLICY FILE INFORMATION
-
-mac_permissions.xml:
-  ABOUT:
-    The mac_permissions.xml file is used for controlling the mmac solutions
-    as well as mapping a public base16 signing key with an arbitrary seinfo
-    string. Details of the files contents can be found in a comment at the
-    top of that file. The seinfo string, previously mentioned, is the same string
-    that is referenced in seapp_contexts.
-
-    It is important to note the final processed version of this file
-    is stripped of comments and whitespace. This is to preserve space on the
-    system.img. If one wishes to view it in a more human friendly format,
-    the "tidy" or "xmllint" command will assist you.
-
-  TOOLING:
-    insertkeys.py
-      Is a helper script for mapping arbitrary tags in the signature stanzas of
-      mac_permissions.xml to public keys found in pem files. This script takes
-      a mac_permissions.xml file(s) and configuration file in order to operate.
-      Details of the configuration file (keys.conf) can be found in the subsection
-      keys.conf. This tool is also responsible for stripping the comments and
-      whitespace during processing.
-
-      keys.conf
-        The keys.conf file is used for controlling the mapping of "tags" found in
-        the mac_permissions.xml signature stanzas with actual public keys found in
-        pem files. The configuration file is processed via m4.
-
-        The script allows for mapping any string contained in TARGET_BUILD_VARIANT
-        with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either
-        user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
-        any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim
-        and all options are matched lowercase. The options are "tolowered" automatically
-        for the user, it is convention to specify tags and options in all uppercase
-        and tags start with @. The option arguments can also use environment variables
-        via the familiar $VARIABLE syntax. This is often useful for setting a location
-        to ones release keys.
-
-        Often times, one will need to integrate an application that was signed by a separate
-        organization and may need to extract the pem file for the insertkeys/keys.conf tools.
-        Extraction of the public key in the pem format is possible via openssl. First you need
-        to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute
-        openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM  -print_certs
-        On some occasions CERT.RSA has a different name, and you will need to adjust for that.
-        After extracting the pem, you can rename it, and configure keys.conf and
-        mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text
-        editor and strip out anything outside the opening and closing scissor lines. Failure to do
-        so WILL cause a compile time issue thrown by insertkeys.py
-
-        NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
-              and setool all use base16 encodings.
+This directory has moved to system/sepolicy.
diff --git a/access_vectors b/access_vectors
deleted file mode 100644
index c38aa7b..0000000
--- a/access_vectors
+++ /dev/null
@@ -1,620 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
-	ioctl
-	read
-	write
-	create
-	getattr
-	setattr
-	lock
-	relabelfrom
-	relabelto
-	append
-	unlink
-	link
-	rename
-	execute
-	swapon
-	quotaon
-	mounton
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
-	ioctl
-	read
-	write
-	create
-	getattr
-	setattr
-	lock
-	relabelfrom
-	relabelto
-	append
-# socket-specific
-	bind
-	connect
-	listen
-	accept
-	getopt
-	setopt
-	shutdown
-	recvfrom
-	sendto
-	recv_msg
-	send_msg
-	name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
-	create
-	destroy
-	getattr
-	setattr
-	read
-	write
-	associate
-	unix_read
-	unix_write
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
-	mount
-	remount
-	unmount
-	getattr
-	relabelfrom
-	relabelto
-	transition
-	associate
-	quotamod
-	quotaget
-}
-
-class dir
-inherits file
-{
-	add_name
-	remove_name
-	reparent
-	search
-	rmdir
-	open
-	audit_access
-	execmod
-}
-
-class file
-inherits file
-{
-	execute_no_trans
-	entrypoint
-	execmod
-	open
-	audit_access
-}
-
-class lnk_file
-inherits file
-{
-	open
-	audit_access
-	execmod
-}
-
-class chr_file
-inherits file
-{
-	execute_no_trans
-	entrypoint
-	execmod
-	open
-	audit_access
-}
-
-class blk_file
-inherits file
-{
-	open
-	audit_access
-	execmod
-}
-
-class sock_file
-inherits file
-{
-	open
-	audit_access
-	execmod
-}
-
-class fifo_file
-inherits file
-{
-	open
-	audit_access
-	execmod
-}
-
-class fd
-{
-	use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
-	connectto
-	newconn
-	acceptfrom
-	node_bind
-	name_connect
-}
-
-class udp_socket
-inherits socket
-{
-	node_bind
-}
-
-class rawip_socket
-inherits socket
-{
-	node_bind
-}
-
-class node
-{
-	tcp_recv
-	tcp_send
-	udp_recv
-	udp_send
-	rawip_recv
-	rawip_send
-	enforce_dest
-	dccp_recv
-	dccp_send
-	recvfrom
-	sendto
-}
-
-class netif
-{
-	tcp_recv
-	tcp_send
-	udp_recv
-	udp_send
-	rawip_recv
-	rawip_send
-	dccp_recv
-	dccp_send
-	ingress
-	egress
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
-	connectto
-	newconn
-	acceptfrom
-}
-
-class unix_dgram_socket
-inherits socket
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
-	fork
-	transition
-	sigchld # commonly granted from child to parent
-	sigkill # cannot be caught or ignored
-	sigstop # cannot be caught or ignored
-	signull # for kill(pid, 0)
-	signal  # all other signals
-	ptrace
-	getsched
-	setsched
-	getsession
-	getpgid
-	setpgid
-	getcap
-	setcap
-	share
-	getattr
-	setexec
-	setfscreate
-	noatsecure
-	siginh
-	setrlimit
-	rlimitinh
-	dyntransition
-	setcurrent
-	execmem
-	execstack
-	execheap
-	setkeycreate
-	setsockcreate
-}
-
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
-	enqueue
-}
-
-class msg
-{
-	send
-	receive
-}
-
-class shm
-inherits ipc
-{
-	lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
-	compute_av
-	compute_create
-	compute_member
-	check_context
-	load_policy
-	compute_relabel
-	compute_user
-	setenforce     # was avc_toggle in system class
-	setbool
-	setsecparam
-	setcheckreqprot
-	read_policy
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
-	ipc_info
-	syslog_read
-	syslog_mod
-	syslog_console
-	module_request
-}
-
-#
-# Define the access vector interpretation for controling capabilies
-#
-
-class capability
-{
-	# The capabilities are defined in include/linux/capability.h
-	# Capabilities >= 32 are defined in the capability2 class.
-	# Care should be taken to ensure that these are consistent with
-	# those definitions. (Order matters)
-
-	chown
-	dac_override
-	dac_read_search
-	fowner
-	fsetid
-	kill
-	setgid
-	setuid
-	setpcap
-	linux_immutable
-	net_bind_service
-	net_broadcast
-	net_admin
-	net_raw
-	ipc_lock
-	ipc_owner
-	sys_module
-	sys_rawio
-	sys_chroot
-	sys_ptrace
-	sys_pacct
-	sys_admin
-	sys_boot
-	sys_nice
-	sys_resource
-	sys_time
-	sys_tty_config
-	mknod
-	lease
-	audit_write
-	audit_control
-	setfcap
-}
-
-class capability2
-{
-	mac_override	# unused by SELinux
-	mac_admin	# unused by SELinux
-	syslog
-	wake_alarm
-	block_suspend
-	audit_read
-}
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
-	nlmsg_read
-	nlmsg_write
-}
-
-class netlink_firewall_socket
-inherits socket
-{
-	nlmsg_read
-	nlmsg_write
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
-	nlmsg_read
-	nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
-	nlmsg_read
-	nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
-	nlmsg_read
-	nlmsg_write
-	nlmsg_relay
-	nlmsg_readpriv
-	nlmsg_tty_audit
-}
-
-class netlink_ip6fw_socket
-inherits socket
-{
-	nlmsg_read
-	nlmsg_write
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
-	sendto
-	recvfrom
-	setcontext
-	polmatch
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
-
-class appletalk_socket
-inherits socket
-
-class packet
-{
-	send
-	recv
-	relabelto
-	flow_in		# deprecated
-	flow_out	# deprecated
-	forward_in
-	forward_out
-}
-
-class key
-{
-	view
-	read
-	write
-	search
-	link
-	setattr
-	create
-}
-
-class dccp_socket
-inherits socket
-{
-	node_bind
-	name_connect
-}
-
-class memprotect
-{
-	mmap_zero
-}
-
-# network peer labels
-class peer
-{
-	recv
-}
-
-class kernel_service
-{
-	use_as_override
-	create_files_as
-}
-
-class tun_socket
-inherits socket
-{
-	attach_queue
-}
-
-class binder
-{
-	impersonate
-	call
-	set_context_mgr
-	transfer
-}
-
-class netlink_iscsi_socket
-inherits socket
-
-class netlink_fib_lookup_socket
-inherits socket
-
-class netlink_connector_socket
-inherits socket
-
-class netlink_netfilter_socket
-inherits socket
-
-class netlink_generic_socket
-inherits socket
-
-class netlink_scsitransport_socket
-inherits socket
-
-class netlink_rdma_socket
-inherits socket
-
-class netlink_crypto_socket
-inherits socket
-
-class property_service
-{
-	set
-}
-
-class service_manager
-{
-	add
-	find
-	list
-}
-
-class keystore_key
-{
-	get_state
-	get
-	insert
-	delete
-	exist
-	list
-	reset
-	password
-	lock
-	unlock
-	is_empty
-	sign
-	verify
-	grant
-	duplicate
-	clear_uid
-	add_auth
-	user_changed
-}
-
-class debuggerd
-{
-	dump_tombstone
-	dump_backtrace
-}
-
-class drmservice {
-	consumeRights
-	setPlaybackStatus
-	openDecryptSession
-	closeDecryptSession
-	initializeDecryptUnit
-	decrypt
-	finalizeDecryptUnit
-	pread
-}
diff --git a/adbd.te b/adbd.te
deleted file mode 100644
index 2734a33..0000000
--- a/adbd.te
+++ /dev/null
@@ -1,102 +0,0 @@
-# adbd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type adbd, domain, mlstrustedsubject;
-
-userdebug_or_eng(`
-  allow adbd self:process setcurrent;
-  allow adbd su:process dyntransition;
-')
-
-domain_auto_trans(adbd, shell_exec, shell)
-
-# Do not sanitize the environment or open fds of the shell. Allow signaling
-# created processes.
-allow adbd shell:process { noatsecure signal };
-
-# Set UID and GID to shell.  Set supplementary groups.
-allow adbd self:capability { setuid setgid };
-
-# Drop capabilities from bounding set on user builds.
-allow adbd self:capability setpcap;
-
-# Create and use network sockets.
-net_domain(adbd)
-
-# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
-allow adbd adb_device:chr_file rw_file_perms;
-allow adbd functionfs:dir search;
-allow adbd functionfs:file rw_file_perms;
-
-# Use a pseudo tty.
-allow adbd devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow adbd shell_data_file:dir create_dir_perms;
-allow adbd shell_data_file:file create_file_perms;
-
-# adb push/pull sdcard.
-allow adbd tmpfs:dir search;
-allow adbd rootfs:lnk_file r_file_perms;
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
-
-# adb pull /data/anr/traces.txt
-allow adbd anr_data_file:dir r_dir_perms;
-allow adbd anr_data_file:file r_file_perms;
-
-# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
-set_prop(adbd, shell_prop)
-set_prop(adbd, powerctl_prop)
-set_prop(adbd, ffs_prop)
-
-# Access device logging gating property
-get_prop(adbd, device_logging_prop)
-
-# Run /system/bin/bu
-allow adbd system_file:file rx_file_perms;
-
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
-
-# Read /data/misc/adb/adb_keys.
-allow adbd adb_keys_file:dir search;
-allow adbd adb_keys_file:file r_file_perms;
-
-userdebug_or_eng(`
-  # Write debugging information to /data/adb
-  # when persist.adb.trace_mask is set
-  # https://code.google.com/p/android/issues/detail?id=72895
-  allow adbd adb_data_file:dir rw_dir_perms;
-  allow adbd adb_data_file:file create_file_perms;
-')
-
-# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd app_data_file:dir search;
-allow adbd app_data_file:sock_file write;
-allow adbd appdomain:unix_stream_socket connectto;
-
-# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
-allow adbd zygote_exec:file r_file_perms;
-allow adbd system_file:file r_file_perms;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow adbd selinuxfs:dir r_dir_perms;
-allow adbd selinuxfs:file r_file_perms;
-allow adbd kernel:security read_policy;
-
-allow adbd surfaceflinger_service:service_manager find;
-allow adbd bootchart_data_file:dir search;
-allow adbd bootchart_data_file:file r_file_perms;
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow adbd storage_file:dir r_dir_perms;
-allow adbd storage_file:lnk_file r_file_perms;
-allow adbd mnt_user_file:dir r_dir_perms;
-allow adbd mnt_user_file:lnk_file r_file_perms;
diff --git a/app.te b/app.te
deleted file mode 100644
index a91d75a..0000000
--- a/app.te
+++ /dev/null
@@ -1,409 +0,0 @@
-###
-### Domain for all zygote spawned apps
-###
-### This file is the base policy for all zygote spawned apps.
-### Other policy files, such as isolated_app.te, untrusted_app.te, etc
-### extend from this policy. Only policies which should apply to ALL
-### zygote spawned apps should be added here.
-###
-
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-
-allow appdomain ashmem_device:chr_file execute;
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-# valgrind needs mmap exec for zygote
-allow appdomain zygote_exec:file rx_file_perms;
-
-# Read system properties managed by zygote.
-allow appdomain zygote_tmpfs:file read;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Place process into foreground / background
-allow appdomain cgroup:dir { search write };
-allow appdomain cgroup:file w_file_perms;
-
-# Read /data/dalvik-cache.
-allow appdomain dalvikcache_data_file:dir { search getattr };
-allow appdomain dalvikcache_data_file:file r_file_perms;
-
-# Read the /sdcard symlink
-allow appdomain rootfs:lnk_file r_file_perms;
-
-# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
-
-userdebug_or_eng(`
-  # Notify zygote of the wrapped process PID when using --invoke-with.
-  allow appdomain zygote:fifo_file write;
-
-  # Allow apps to create and write method traces in /data/misc/trace.
-  allow appdomain method_trace_data_file:dir w_dir_perms;
-  allow appdomain method_trace_data_file:file { create w_file_perms };
-')
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file rw_file_perms;
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# App sandbox file accesses.
-allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
-
-# lib subdirectory of /data/data dir is system-owned.
-allow appdomain system_data_file:dir r_dir_perms;
-allow appdomain system_data_file:file { execute execute_no_trans open execmod };
-
-# Traverse into expanded storage
-allow appdomain mnt_expand_file:dir r_dir_perms;
-
-# Keychain and user-trusted credentials
-allow appdomain keychain_data_file:dir r_dir_perms;
-allow appdomain keychain_data_file:file r_file_perms;
-allow appdomain misc_user_data_file:dir r_dir_perms;
-allow appdomain misc_user_data_file:file r_file_perms;
-
-# Access to OEM provided data and apps
-allow appdomain oemfs:dir r_dir_perms;
-allow appdomain oemfs:file rx_file_perms;
-
-# Execute the shell or other system executables.
-allow appdomain shell_exec:file rx_file_perms;
-allow appdomain system_file:file rx_file_perms;
-allow appdomain toolbox_exec:file rx_file_perms;
-
-# Renderscript needs the ability to read directories on /system
-r_dir_file(appdomain, system_file)
-
-# Execute dex2oat when apps call dexclassloader
-allow appdomain dex2oat_exec:file rx_file_perms;
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write };
-
-# Write to /data/anr/traces.txt.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
-allow appdomain shell_data_file:file { write getattr };
-
-# Send heap dumps to system_server via an already open file descriptor
-# % adb shell am set-watch-heap com.android.systemui 1048576
-# % adb shell dumpsys procstats --start-testing
-# debuggable builds only.
-userdebug_or_eng(`
-  allow appdomain heapdump_data_file:file append;
-')
-
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow appdomain qtaguid_device:chr_file r_file_perms;
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr };
-allow appdomain cache_backup_file:file { read write getattr };
-allow appdomain cache_backup_file:dir getattr;
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file getattr;
-
-# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow appdomain media_rw_data_file:file { read getattr };
-
-# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow appdomain radio_data_file:file { read write getattr };
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow appdomain storage_file:dir r_dir_perms;
-allow appdomain storage_file:lnk_file r_file_perms;
-allow appdomain mnt_user_file:dir r_dir_perms;
-allow appdomain mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow appdomain fuse:dir create_dir_perms;
-allow appdomain fuse:file create_file_perms;
-
-# Access OBBs (vfat images) mounted by vold (b/17633509)
-# File write access allowed for FDs returned through Storage Access Framework
-allow appdomain vfat:dir r_dir_perms;
-allow appdomain vfat:file rw_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow appdomain usb_device:chr_file { read write getattr ioctl };
-allow appdomain usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
-
-# Allow any app to read shared RELRO files.
-allow appdomain shared_relro_file:dir search;
-allow appdomain shared_relro_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file { rx_file_perms execmod };
-
-# /data/resource-cache
-allow appdomain resourcecache_data_file:file r_file_perms;
-allow appdomain resourcecache_data_file:dir r_dir_perms;
-
-# logd access
-read_logd(appdomain)
-control_logd(appdomain)
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-
-use_keystore({ appdomain -isolated_app })
-
-allow appdomain console_device:chr_file { read write };
-
-allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
-
-# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write };
-
-###
-### CTS-specific rules
-###
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
-# Check SELinux policy and contexts.
-selinux_check_access(appdomain)
-selinux_check_context(appdomain)
-
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow appdomain adbd:unix_stream_socket connectto;
-allow appdomain adbd:fd use;
-allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-allow appdomain cache_file:dir getattr;
-
-###
-### Neverallow rules
-###
-### These are things that Android apps should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability *;
-neverallow { appdomain -bluetooth } self:capability2 *;
-
-# Block device access.
-neverallow appdomain dev_type:blk_file { read write };
-
-# Access to any of the following character devices.
-neverallow appdomain {
-    audio_device
-    video_device
-    dm_device
-    radio_device
-    gps_device
-    rpmsg_device
-}:chr_file { read write };
-
-# Note: Try expanding list of app domains in the future.
-neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
-
-neverallow { appdomain -nfc } nfc_device:chr_file
-    { read write };
-neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
-    { read write };
-neverallow appdomain tee_device:chr_file { read write };
-
-# Privileged netlink socket interfaces.
-neverallow appdomain
-    domain:{
-        netlink_firewall_socket
-        netlink_tcpdiag_socket
-        netlink_nflog_socket
-        netlink_xfrm_socket
-        netlink_audit_socket
-        netlink_ip6fw_socket
-        netlink_dnrt_socket
-    } *;
-
-# These messages are broadcast messages from the kernel to userspace.
-# Do not allow the writing of netlink messages, which has been a source
-# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
-
-# Sockets under /dev/socket that are not specifically typed.
-neverallow appdomain socket_device:sock_file write;
-
-# Unix domain sockets.
-neverallow appdomain adbd_socket:sock_file write;
-neverallow appdomain installd_socket:sock_file write;
-neverallow { appdomain -radio } rild_socket:sock_file write;
-neverallow appdomain vold_socket:sock_file write;
-neverallow appdomain zygote_socket:sock_file write;
-
-# ptrace access to non-app domains.
-neverallow appdomain { domain -appdomain }:process ptrace;
-
-# Write access to /proc/pid entries for any non-app domain.
-neverallow appdomain { domain -appdomain }:file write;
-
-# signal access to non-app domains.
-# sigchld allowed for parent death notification.
-# signull allowed for kill(pid, 0) existence test.
-# All others prohibited.
-neverallow appdomain { domain -appdomain }:process
-    { sigkill sigstop signal };
-
-# Transition to a non-app domain.
-# Exception for the shell domain and the su domain, can transition to runas,
-# etc.
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
-    { transition dyntransition };
-
-# Write to rootfs.
-neverallow appdomain rootfs:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to /system.
-neverallow appdomain system_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to entrypoint executables.
-neverallow appdomain exec_type:file
-    { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to system-owned parts of /data.
-# This is the default type for anything under /data not otherwise
-# specified in file_contexts.  Define a different type for portions
-# that should be writable by apps.
-neverallow appdomain system_data_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to various other parts of /data.
-neverallow appdomain drm_data_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -system_app }
-    gps_data_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
-    apk_data_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
-    apk_tmp_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
-    apk_private_data_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
-    apk_private_tmp_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -shell }
-    shell_data_file:dir_file_class_set
-    { create setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -bluetooth }
-    bluetooth_data_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
-    keystore_data_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
-    systemkeys_data_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
-    wifi_data_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
-    dhcp_data_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-
-# access tmp apk files
-neverallow { appdomain -platform_app -priv_app }
-    { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-
-# Access to factory files.
-neverallow appdomain efs_file:dir_file_class_set write;
-neverallow { appdomain -shell } efs_file:dir_file_class_set read;
-
-# Write to various pseudo file systems.
-neverallow { appdomain -bluetooth -nfc }
-    sysfs:dir_file_class_set write;
-neverallow appdomain
-    proc:dir_file_class_set write;
-
-# Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain -system_app }
-    kernel:system { syslog_mod syslog_console };
-neverallow { appdomain -system_app -shell }
-    kernel:system syslog_read;
-
-# Ability to perform any filesystem operation other than statfs(2).
-# i.e. no mount(2), unmount(2), etc.
-neverallow appdomain fs_type:filesystem ~getattr;
-
-# prevent creation/manipulation of globally readable symlinks
-neverallow appdomain {
-  apk_data_file
-  cache_file
-  cache_recovery_file
-  dev_type
-  rootfs
-  system_file
-  tmpfs
-}:lnk_file no_w_file_perms;
diff --git a/atrace.te b/atrace.te
deleted file mode 100644
index 31cf9e7..0000000
--- a/atrace.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# Domain for atrace process spawned by boottrace service.
-type atrace_exec, exec_type, file_type;
-
-userdebug_or_eng(`
-
-  type atrace, domain, domain_deprecated;
-  init_daemon_domain(atrace)
-
-  # boottrace services uses /data/misc/boottrace/categories
-  allow atrace boottrace_data_file:dir search;
-  allow atrace boottrace_data_file:file r_file_perms;
-
-  # atrace reads the files in /sys/kernel/debug/tracing/
-  allow atrace debugfs_tracing:file r_file_perms;
-
-  # atrace sets debug.atrace.* properties
-  set_prop(atrace, debug_prop)
-
-  # atrace pokes all the binder-enabled processes at startup.
-  binder_use(atrace)
-  allow atrace healthd:binder call;
-  allow atrace surfaceflinger:binder call;
-
-')
diff --git a/attributes b/attributes
deleted file mode 100644
index 485b3e9..0000000
--- a/attributes
+++ /dev/null
@@ -1,102 +0,0 @@
-######################################
-# Attribute declarations
-#
-
-# All types used for devices.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# in tools/checkfc.c
-attribute dev_type;
-
-# All types used for processes.
-attribute domain;
-
-# Temporary attribute used for migrating permissions out of domain.
-# Motivation: Domain is overly permissive. Start removing permissions
-# from domain and assign them to the domain_deprecated attribute.
-# Domain_deprecated and domain can initially be assigned to all
-# domains. The goal is to not assign domain_deprecated to new domains
-# and to start removing domain_deprecated where it's not required or
-# reassigning the appropriate permissions to the inheriting domain
-# when necessary.
-attribute domain_deprecated;
-
-# All types used for filesystems.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute fs_type;
-
-# All types used for context= mounts.
-attribute contextmount_type;
-
-# All types used for files that can exist on a labeled fs.
-# Do not use for pseudo file types.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute file_type;
-
-# All types used for domain entry points.
-attribute exec_type;
-
-# All types used for /data files.
-attribute data_file_type;
-
-# All types use for sysfs files.
-attribute sysfs_type;
-
-# All types use for debugfs files.
-attribute debugfs_type;
-
-# Attribute used for all sdcards
-attribute sdcard_type;
-
-# All types used for nodes/hosts.
-attribute node_type;
-
-# All types used for network interfaces.
-attribute netif_type;
-
-# All types used for network ports.
-attribute port_type;
-
-# All types used for property service
-# On change, update CHECK_PC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute property_type;
-
-# All properties defined in core SELinux policy. Should not be
-# used by device specific properties
-attribute core_property_type;
-
-# All service_manager types created by system_server
-attribute system_server_service;
-
-# services which should be available to all but isolated apps
-attribute app_api_service;
-
-# services which export only system_api
-attribute system_api_service;
-
-# All types used for services managed by service_manager.
-# On change, update CHECK_SC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute service_manager_type;
-
-# All domains that can override MLS restrictions.
-# i.e. processes that can read up and write down.
-attribute mlstrustedsubject;
-
-# All types that can override MLS restrictions.
-# i.e. files that can be read by lower and written by higher
-attribute mlstrustedobject;
-
-# All domains used for apps.
-attribute appdomain;
-
-# All domains used for apps with network access.
-attribute netdomain;
-
-# All domains used for apps with bluetooth access.
-attribute bluetoothdomain;
-
-# All domains used for binder service domains.
-attribute binderservicedomain;
diff --git a/binderservicedomain.te b/binderservicedomain.te
deleted file mode 100644
index 36993eb..0000000
--- a/binderservicedomain.te
+++ /dev/null
@@ -1,21 +0,0 @@
-# Rules common to all binder service domains
-
-# Allow dumpstate to collect information from binder services
-allow binderservicedomain dumpstate:fd use;
-allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
-allow binderservicedomain shell_data_file:file { getattr write };
-
-# Allow dumpsys to work from adb shell or the serial console
-allow binderservicedomain devpts:chr_file rw_file_perms;
-allow binderservicedomain console_device:chr_file rw_file_perms;
-
-# Receive and write to a pipe received over Binder from an app.
-allow binderservicedomain appdomain:fd use;
-allow binderservicedomain appdomain:fifo_file write;
-
-# allow all services to run permission checks
-allow binderservicedomain permission_service:service_manager find;
-
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-
-use_keystore(binderservicedomain)
diff --git a/blkid.te b/blkid.te
deleted file mode 100644
index 43bc944..0000000
--- a/blkid.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# blkid called from vold
-type blkid, domain, domain_deprecated;
-type blkid_exec, exec_type, file_type;
-
-# Allowed read-only access to encrypted devices to extract UUID/label
-allow blkid block_device:dir search;
-allow blkid userdata_block_device:blk_file r_file_perms;
-allow blkid dm_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid vold:fd use;
-allow blkid vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid blkid_exec:file rx_file_perms;
-
-# Only allow entry from vold
-neverallow { domain -vold } blkid:process transition;
-neverallow * blkid:process dyntransition;
-neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/blkid_untrusted.te b/blkid_untrusted.te
deleted file mode 100644
index da3bdac..0000000
--- a/blkid_untrusted.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# blkid for untrusted block devices
-type blkid_untrusted, domain, domain_deprecated;
-
-# Allowed read-only access to vold block devices to extract UUID/label
-allow blkid_untrusted block_device:dir search;
-allow blkid_untrusted vold_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid_untrusted vold:fd use;
-allow blkid_untrusted vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid_untrusted blkid_exec:file rx_file_perms;
-
-###
-### neverallow rules
-###
-
-# Untrusted blkid should never be run on block devices holding sensitive data
-neverallow blkid_untrusted {
-  boot_block_device
-  frp_block_device
-  metadata_block_device
-  recovery_block_device
-  root_block_device
-  swap_block_device
-  system_block_device
-  userdata_block_device
-  cache_block_device
-  dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via blkid binary
-neverallow { domain -vold } blkid_untrusted:process transition;
-neverallow * blkid_untrusted:process dyntransition;
-neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/bluetooth.te b/bluetooth.te
deleted file mode 100644
index f249e9b..0000000
--- a/bluetooth.te
+++ /dev/null
@@ -1,64 +0,0 @@
-# bluetooth subsystem
-type bluetooth, domain, domain_deprecated;
-app_domain(bluetooth)
-net_domain(bluetooth)
-
-wakelock_use(bluetooth);
-
-# Data file accesses.
-allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
-
-# Socket creation under /data/misc/bluedroid.
-type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
-allow bluetooth bluetooth_socket:sock_file create_file_perms;
-
-# bluetooth factory file accesses.
-r_dir_file(bluetooth, bluetooth_efs_file)
-
-allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-
-# sysfs access.
-allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow bluetooth self:capability net_admin;
-allow bluetooth self:capability2 wake_alarm;
-
-# tethering
-allow bluetooth self:tun_socket create_socket_perms;
-allow bluetooth tun_device:chr_file rw_file_perms;
-allow bluetooth efs_file:dir search;
-
-# proc access.
-allow bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# Allow write access to bluetooth specific properties
-set_prop(bluetooth, bluetooth_prop)
-set_prop(bluetooth, pan_result_prop)
-set_prop(bluetooth, ctl_dhcp_pan_prop)
-
-allow bluetooth bluetooth_service:service_manager find;
-allow bluetooth drmserver_service:service_manager find;
-allow bluetooth mediaserver_service:service_manager find;
-allow bluetooth radio_service:service_manager find;
-allow bluetooth surfaceflinger_service:service_manager find;
-allow bluetooth app_api_service:service_manager find;
-allow bluetooth system_api_service:service_manager find;
-
-# Bluetooth Sim Access Profile Socket to the RIL
-unix_socket_connect(bluetooth, sap_uim, rild)
-
-# already open bugreport file descriptors may be shared with
-# the bluetooth process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow bluetooth shell_data_file:file read;
-
-###
-### Neverallow rules
-###
-### These are things that the bluetooth app should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin, wake_alarm and block_suspend
-neverallow bluetooth self:capability ~net_admin;
-neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/bluetoothdomain.te b/bluetoothdomain.te
deleted file mode 100644
index fe4f0e6..0000000
--- a/bluetoothdomain.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow clients to use a socket provided by the bluetooth app.
-allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
diff --git a/bootanim.te b/bootanim.te
deleted file mode 100644
index fa0e4dc..0000000
--- a/bootanim.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# bootanimation oneshot service
-type bootanim, domain;
-type bootanim_exec, exec_type, file_type;
-
-init_daemon_domain(bootanim)
-
-binder_use(bootanim)
-binder_call(bootanim, surfaceflinger)
-
-allow bootanim gpu_device:chr_file rw_file_perms;
-
-# /oem access
-allow bootanim oemfs:dir search;
-allow bootanim oemfs:file r_file_perms;
-
-allow bootanim audio_device:dir r_dir_perms;
-allow bootanim audio_device:chr_file rw_file_perms;
-
-allow bootanim surfaceflinger_service:service_manager find;
-
-# Allow access to ion memory allocation device
-allow bootanim ion_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(bootanim, proc)
-r_dir_file(bootanim, sysfs)
-r_dir_file(bootanim, cgroup)
-
-# System file accesses.
-allow bootanim system_file:dir r_dir_perms;
diff --git a/bootstat.te b/bootstat.te
deleted file mode 100644
index 44a8c91..0000000
--- a/bootstat.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# bootstat command
-type bootstat, domain;
-type bootstat_exec, exec_type, file_type;
-
-init_daemon_domain(bootstat)
-
-# Allow persistent storage in /data/misc/bootstat.
-allow bootstat bootstat_data_file:dir rw_dir_perms;
-allow bootstat bootstat_data_file:file create_file_perms;
-
-# Read access to pseudo filesystems (for /proc/uptime).
-r_dir_file(bootstat, proc)
\ No newline at end of file
diff --git a/clatd.te b/clatd.te
deleted file mode 100644
index 3cda6a2..0000000
--- a/clatd.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# 464xlat daemon
-type clatd, domain, domain_deprecated;
-type clatd_exec, exec_type, file_type;
-
-net_domain(clatd)
-
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
-
-allow clatd self:capability { net_admin net_raw setuid setgid };
-
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:capability ipc_lock;
-
-allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;
-allow clatd tun_device:chr_file rw_file_perms;
diff --git a/debuggerd.te b/debuggerd.te
deleted file mode 100644
index 04dcb79..0000000
--- a/debuggerd.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# debugger interface
-type debuggerd, domain, domain_deprecated;
-type debuggerd_exec, exec_type, file_type;
-
-init_daemon_domain(debuggerd)
-typeattribute debuggerd mlstrustedsubject;
-allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
-allow debuggerd self:capability2 { syslog };
-allow debuggerd domain:dir r_dir_perms;
-allow debuggerd domain:file r_file_perms;
-allow debuggerd domain:lnk_file read;
-allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr };
-allow debuggerd tombstone_data_file:dir rw_dir_perms;
-allow debuggerd tombstone_data_file:file create_file_perms;
-allow debuggerd shared_relro_file:dir r_dir_perms;
-allow debuggerd shared_relro_file:file r_file_perms;
-allow debuggerd domain:process { sigstop sigkill signal };
-allow debuggerd exec_type:file r_file_perms;
-# Access app library
-allow debuggerd system_data_file:file open;
-# Allow debuggerd to redirect a dump_backtrace request to itself.
-# This only happens on 64 bit systems, where all requests go to the 64 bit
-# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
-allow debuggerd { drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
-
-# Connect to system_server via /data/system/ndebugsocket.
-unix_socket_connect(debuggerd, system_ndebug, system_server)
-
-userdebug_or_eng(`
-  allow debuggerd input_device:dir r_dir_perms;
-  allow debuggerd input_device:chr_file rw_file_perms;
-')
-
-# logd access
-read_logd(debuggerd)
-
-# Check SELinux permissions.
-selinux_check_access(debuggerd)
diff --git a/device.te b/device.te
deleted file mode 100644
index 0fc90c5..0000000
--- a/device.te
+++ /dev/null
@@ -1,102 +0,0 @@
-# Device types
-type device, dev_type, fs_type;
-type alarm_device, dev_type, mlstrustedobject;
-type adb_device, dev_type;
-type ashmem_device, dev_type, mlstrustedobject;
-type audio_device, dev_type;
-type binder_device, dev_type, mlstrustedobject;
-type block_device, dev_type;
-type dm_device, dev_type;
-type loop_device, dev_type;
-type pmsg_device, dev_type, mlstrustedobject;
-type radio_device, dev_type;
-type ram_device, dev_type;
-type rtc_device, dev_type;
-type vold_device, dev_type;
-type console_device, dev_type;
-type cpuctl_device, dev_type;
-type fscklogs, dev_type;
-type full_device, dev_type;
-# GPU (used by most UI apps)
-type gpu_device, dev_type, mlstrustedobject;
-type graphics_device, dev_type;
-type hw_random_device, dev_type;
-type input_device, dev_type;
-type kmem_device, dev_type;
-type log_device, dev_type, mlstrustedobject;
-type mtd_device, dev_type;
-type mtp_device, dev_type, mlstrustedobject;
-type nfc_device, dev_type;
-type ptmx_device, dev_type, mlstrustedobject;
-type kmsg_device, dev_type;
-type null_device, dev_type, mlstrustedobject;
-type random_device, dev_type, mlstrustedobject;
-type sensors_device, dev_type;
-type serial_device, dev_type;
-type socket_device, dev_type;
-type owntty_device, dev_type, mlstrustedobject;
-type tty_device, dev_type;
-type urandom_device, dev_type, mlstrustedobject;
-type video_device, dev_type;
-type vcs_device, dev_type;
-type zero_device, dev_type, mlstrustedobject;
-type fuse_device, dev_type, mlstrustedobject;
-type iio_device, dev_type;
-type ion_device, dev_type, mlstrustedobject;
-type gps_device, dev_type;
-type qtaguid_device, dev_type;
-type watchdog_device, dev_type;
-type uhid_device, dev_type;
-type uio_device, dev_type;
-type tun_device, dev_type, mlstrustedobject;
-type usbaccessory_device, dev_type, mlstrustedobject;
-type usb_device, dev_type, mlstrustedobject;
-type klog_device, dev_type;
-type properties_device, dev_type;
-type properties_serial, dev_type;
-type i2c_device, dev_type;
-
-# All devices have a uart for the hci
-# attach service. The uart dev node
-# varies per device. This type
-# is used in per device policy
-type hci_attach_dev, dev_type;
-
-# All devices have a rpmsg device for
-# achieving remoteproc and rpmsg modules
-type rpmsg_device, dev_type;
-
-# Partition layout block device
-type root_block_device, dev_type;
-
-# factory reset protection block device
-type frp_block_device, dev_type;
-
-# System block device mounted on /system.
-type system_block_device, dev_type;
-
-# Recovery block device.
-type recovery_block_device, dev_type;
-
-# boot block device.
-type boot_block_device, dev_type;
-
-# Userdata block device mounted on /data.
-type userdata_block_device, dev_type;
-
-# Cache block device mounted on /cache.
-type cache_block_device, dev_type;
-
-# Block device for any swap partition.
-type swap_block_device, dev_type;
-
-# Metadata block device used for encryption metadata.
-# Assign this type to the partition specified by the encryptable=
-# mount option in your fstab file in the entry for userdata.
-type metadata_block_device, dev_type;
-
-# The 'misc' partition used by recovery and A/B.
-type misc_block_device, dev_type;
-
-# Bootctrl block device used by A/B update (update_engine, update_verifier).
-type bootctrl_block_device, dev_type;
diff --git a/dex2oat.te b/dex2oat.te
deleted file mode 100644
index 83a7c8a..0000000
--- a/dex2oat.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# dex2oat
-type dex2oat, domain, domain_deprecated;
-type dex2oat_exec, exec_type, file_type;
-
-allow dex2oat dalvikcache_data_file:file write;
-# Read symlinks in /data/dalvik-cache
-allow dex2oat dalvikcache_data_file:lnk_file read;
-allow dex2oat installd:fd use;
-
-# Read already open asec_apk_file file descriptors passed by installd.
-# Also allow reading unlabeled files, to allow for upgrading forward
-# locked APKs.
-allow dex2oat asec_apk_file:file read;
-allow dex2oat unlabeled:file read;
-allow dex2oat oemfs:file read;
-allow dex2oat apk_tmp_file:file read;
diff --git a/dhcp.te b/dhcp.te
deleted file mode 100644
index a858e08..0000000
--- a/dhcp.te
+++ /dev/null
@@ -1,32 +0,0 @@
-type dhcp, domain, domain_deprecated;
-type dhcp_exec, exec_type, file_type;
-type dhcp_data_file, file_type, data_file_type;
-
-init_daemon_domain(dhcp)
-net_domain(dhcp)
-
-allow dhcp cgroup:dir { create write add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket create_socket_perms;
-allow dhcp self:netlink_route_socket nlmsg_write;
-allow dhcp shell_exec:file rx_file_perms;
-allow dhcp system_file:file rx_file_perms;
-
-# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
-allow dhcp toolbox_exec:file rx_file_perms;
-
-# For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file write;
-
-set_prop(dhcp, dhcp_prop)
-set_prop(dhcp, pan_result_prop)
-
-type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
-allow dhcp dhcp_data_file:dir create_dir_perms;
-allow dhcp dhcp_data_file:file create_file_perms;
-
-# PAN connections
-allow dhcp netd:fd use;
-allow dhcp netd:fifo_file rw_file_perms;
-allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
-allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
diff --git a/dnsmasq.te b/dnsmasq.te
deleted file mode 100644
index e5e4198..0000000
--- a/dnsmasq.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# DNS, DHCP services
-type dnsmasq, domain, domain_deprecated;
-type dnsmasq_exec, exec_type, file_type;
-
-net_domain(dnsmasq)
-
-# TODO:  Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:capability dac_override;
-
-allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
-
-allow dnsmasq dhcp_data_file:dir w_dir_perms;
-allow dnsmasq dhcp_data_file:file create_file_perms;
-
-# Inherit and use open files from netd.
-allow dnsmasq netd:fd use;
-allow dnsmasq netd:fifo_file { read write };
-# TODO: Investigate whether these inherited sockets should be closed on exec.
-allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
-allow dnsmasq netd:netlink_nflog_socket { read write };
-allow dnsmasq netd:netlink_route_socket { read write };
-allow dnsmasq netd:unix_stream_socket { read write };
-allow dnsmasq netd:unix_dgram_socket { read write };
-allow dnsmasq netd:udp_socket { read write };
diff --git a/domain.te b/domain.te
deleted file mode 100644
index 549a0b9..0000000
--- a/domain.te
+++ /dev/null
@@ -1,532 +0,0 @@
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Intra-domain accesses.
-allow domain self:process {
-    fork
-    sigchld
-    sigkill
-    sigstop
-    signull
-    signal
-    getsched
-    setsched
-    getsession
-    getpgid
-    setpgid
-    getcap
-    setcap
-    getattr
-    setrlimit
-};
-allow domain self:fd use;
-allow domain proc:dir r_dir_perms;
-allow domain proc_net:dir search;
-r_dir_file(domain, self)
-allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:unix_dgram_socket { create_socket_perms sendto };
-allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-
-userdebug_or_eng(`
-  # Same as adbd rules above, except allow su to do the same thing
-  allow domain su:unix_stream_socket connectto;
-  allow domain su:fd use;
-  allow domain su:unix_stream_socket { getattr getopt read write shutdown };
-
-  binder_call({ domain -init }, su)
-
-  # Running something like "pm dump com.android.bluetooth" requires
-  # fifo writes
-  allow domain su:fifo_file { write getattr };
-
-  # allow "gdbserver --attach" to work for su.
-  allow domain su:process sigchld;
-
-  # Allow writing coredumps to /cores/*
-  allow domain coredump_file:file create_file_perms;
-  allow domain coredump_file:dir ra_dir_perms;
-')
-
-###
-### Talk to debuggerd.
-###
-allow domain debuggerd:process sigchld;
-allow domain debuggerd:unix_stream_socket connectto;
-
-# Root fs.
-allow domain rootfs:dir search;
-allow domain rootfs:lnk_file read;
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file r_file_perms;
-allow domain devpts:dir search;
-allow domain socket_device:dir r_dir_perms;
-allow domain owntty_device:chr_file rw_file_perms;
-allow domain null_device:chr_file rw_file_perms;
-allow domain zero_device:chr_file rw_file_perms;
-allow domain ashmem_device:chr_file rw_file_perms;
-allow domain binder_device:chr_file rw_file_perms;
-allow domain ptmx_device:chr_file rw_file_perms;
-allow domain alarm_device:chr_file r_file_perms;
-allow domain urandom_device:chr_file rw_file_perms;
-allow domain random_device:chr_file rw_file_perms;
-allow domain properties_device:dir r_dir_perms;
-allow domain properties_serial:file r_file_perms;
-
-# For now, everyone can access core property files
-# Device specific properties are not granted by default
-get_prop(domain, core_property_type)
-dontaudit domain property_type:file audit_access;
-allow domain property_contexts:file r_file_perms;
-
-allow domain init:key search;
-allow domain vold:key search;
-
-# logd access
-write_logd(domain)
-
-# System file accesses.
-allow domain system_file:dir { search getattr };
-allow domain system_file:file { execute read open getattr };
-allow domain system_file:lnk_file read;
-
-# read any sysfs symlinks
-allow domain sysfs:lnk_file read;
-
-# libc references /data/misc/zoneinfo for timezone related information
-r_dir_file(domain, zoneinfo_data_file)
-
-# Lots of processes access current CPU information
-r_dir_file(domain, sysfs_devices_system_cpu)
-
-# files under /data.
-allow domain system_data_file:dir { search getattr };
-allow domain system_data_file:lnk_file read;
-
-# required by the dynamic linker
-allow domain proc:lnk_file { getattr read };
-
-# /proc/cpuinfo
-allow domain proc_cpuinfo:file r_file_perms;
-
-# toybox loads libselinux which stats /sys/fs/selinux/
-allow domain selinuxfs:dir search;
-allow domain selinuxfs:file getattr;
-allow domain sysfs:dir search;
-allow domain selinuxfs:filesystem getattr;
-
-# For /acct/uid/*/tasks.
-allow domain cgroup:dir { search write };
-allow domain cgroup:file w_file_perms;
-
-# Almost all processes log tracing information to
-# /sys/kernel/debug/tracing/trace_marker
-# The reason behind this is documented in b/6513400
-allow domain debugfs:dir search;
-allow domain debugfs_tracing:dir search;
-allow domain debugfs_trace_marker:file w_file_perms;
-
-# Filesystem access.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-###
-### neverallow rules
-###
-
-# Do not allow any domain other than init or recovery to create unlabeled files.
-neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-
-# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
-neverallow {
-  domain
-  -debuggerd
-  -vold
-  -dumpstate
-  -system_server
-  userdebug_or_eng(`-perfprofd')
-} self:capability sys_ptrace;
-
-# Limit device node creation to these whitelisted domains.
-neverallow {
-  domain
-  -kernel
-  -init
-  -ueventd
-  -vold
-  -recovery
-} self:capability mknod;
-
-# Limit raw I/O to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
-
-# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
-neverallow * self:memprotect mmap_zero;
-
-# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:capability2 mac_override;
-
-# Only recovery needs mac_admin to set contexts not defined in current policy.
-neverallow { domain -recovery } self:capability2 mac_admin;
-
-# Once the policy has been loaded there shall be none to modify the policy.
-# It is sealed.
-neverallow * kernel:security load_policy;
-
-# Only init and the system_server shall use the property_service.
-neverallow { domain -init -system_server } security_prop:property_service set;
-
-# Only init prior to switching context should be able to set enforcing mode.
-# init starts in kernel domain and switches to init domain via setcon in
-# the init.rc, so the setenforce occurs while still in kernel. After
-# switching domains, there is never any need to setenforce again by init.
-neverallow * kernel:security setenforce;
-neverallow { domain -kernel } kernel:security setcheckreqprot;
-
-# No booleans in AOSP policy, so no need to ever set them.
-neverallow * kernel:security setbool;
-
-# Adjusting the AVC cache threshold.
-# Not presently allowed to anything in policy, but possibly something
-# that could be set from init.rc.
-neverallow { domain -init } kernel:security setsecparam;
-
-# Only init, ueventd and system_server should be able to access HW RNG
-neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
-
-# Ensure that all entrypoint executables are in exec_type.
-neverallow * { file_type -exec_type }:file entrypoint;
-
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr };
-
-# Only init should be able to configure kernel usermodehelpers or
-# security-sensitive proc settings.
-neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append write };
-
-# No domain should be allowed to ptrace init.
-neverallow * init:process ptrace;
-
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
-
-# Don't allow raw read/write/open access to block_device
-# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
-
-# Don't allow raw read/write/open access to generic devices.
-# Rather force a relabel to a more specific type.
-# init is exempt from this as there are character devices that only it uses.
-# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd } device:chr_file { open read write };
-
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-
-#
-# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
-#
-neverallow {
-    domain
-    -appdomain
-    -dumpstate
-    -shell
-    userdebug_or_eng(`-su')
-    -system_server
-    -zygote
-} { file_type -system_file -exec_type -postinstall_file }:file execute;
-neverallow {
-    domain
-    -appdomain # for oemfs
-    -recovery # for /tmp/update_binary in tmpfs
-} { fs_type -rootfs }:file execute;
-# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_recovery_file }:file execute;
-
-# Protect most domains from executing arbitrary content from /data.
-neverallow {
-  domain
-  -untrusted_app
-  -priv_app
-  -shell
-} {
-  data_file_type
-  -dalvikcache_data_file
-  -system_data_file # shared libs in apks
-  -apk_data_file
-}:file no_x_file_perms;
-
-neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
-
-# Only the init property service should write to /data/property.
-neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file no_w_file_perms;
-
-# Only recovery should be doing writes to /system
-neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
-    { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
-
-# Don't allow mounting on top of /system files or directories
-neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } system_file:dir_file_class_set mounton;
-
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
-
-# Restrict context mounts to specific types marked with
-# the contextmount_type attribute.
-neverallow * {fs_type -contextmount_type}:filesystem relabelto;
-
-# Ensure that context mount types are not writable, to ensure that
-# the write to /system restriction above is not bypassed via context=
-# mount to another type.
-neverallow { domain -recovery } contextmount_type:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Do not allow service_manager add for default_android_service.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in service.te and new mappings
-# from service name to service_type are defined in service_contexts.
-neverallow * default_android_service:service_manager add;
-
-# Require that domains explicitly label unknown properties, and do not allow
-# anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
-neverallow { domain -init } mmc_prop:property_service set;
-
-neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
-
-# No domain other than recovery and update_engine can write to system partition(s).
-neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
-
-# No domains other than install_recovery or recovery can write to recovery.
-neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
-
-# Only servicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager } *:binder set_context_mgr;
-
-# Only authorized processes should be writing to files in /data/dalvik-cache
-neverallow {
-  domain
-  -init # TODO: limit init to relabelfrom for files
-  -zygote
-  -installd
-  -dex2oat
-} dalvikcache_data_file:file no_w_file_perms;
-
-neverallow {
-  domain
-  -init
-  -installd
-  -dex2oat
-  -zygote
-} dalvikcache_data_file:dir no_w_dir_perms;
-
-# Only system_server should be able to send commands via the zygote socket
-neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } zygote_socket:sock_file write;
-
-# Android does not support System V IPCs.
-#
-# The reason for this is due to the fact that, by design, they lead to global
-# kernel resource leakage.
-#
-# For example, there is no way to automatically release a SysV semaphore
-# allocated in the kernel when:
-#
-# - a buggy or malicious process exits
-# - a non-buggy and non-malicious process crashes or is explicitly killed.
-#
-# Killing processes automatically to make room for new ones is an
-# important part of Android's application lifecycle implementation. This means
-# that, even assuming only non-buggy and non-malicious code, it is very likely
-# that over time, the kernel global tables used to implement SysV IPCs will fill
-# up.
-neverallow * *:{ shm sem msg msgq } *;
-
-# Do not mount on top of symlinks, fifos, or sockets.
-# Feature parity with Chromium LSM.
-neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only dumpstate, shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
-
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-# The only exceptions are for NDK text relocations associated with
-# https://code.google.com/p/android/issues/detail?id=23203
-# which, long term, need to go away.
-neverallow * {
-  file_type
-  -system_data_file
-  -apk_data_file
-  -app_data_file
-  -asec_public_file
-}:file execmod;
-
-# Do not allow making the stack or heap executable.
-# We would also like to minimize execmem but it seems to be
-# required by some device-specific service domains.
-neverallow * self:process { execstack execheap };
-
-# prohibit non-zygote spawned processes from using shared libraries
-# with text relocations. b/20013628 .
-neverallow { domain -appdomain } file_type:file execmod;
-
-neverallow { domain -init } proc:{ file dir } mounton;
-
-# Ensure that all types assigned to processes are included
-# in the domain attribute, so that all allow and neverallow rules
-# written on domain are applied to all processes.
-# This is achieved by ensuring that it is impossible to transition
-# from a domain to a non-domain type and vice versa.
-neverallow domain ~domain:process { transition dyntransition };
-neverallow ~domain domain:process { transition dyntransition };
-
-#
-# Only system_app and system_server should be creating or writing
-# their files. The proper way to share files is to setup
-# type transitions to a more specific type or assigning a type
-# to its parent directory via a file_contexts entry.
-# Example type transition:
-#  mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
-#
-neverallow {
-  domain
-  -system_server
-  -system_app
-  -init
-  -installd # for relabelfrom and unlink, check for this in explicit neverallow
-} system_data_file:file no_w_file_perms;
-# do not grant anything greater than r_file_perms and relabelfrom unlink
-# to installd
-neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-
-#
-# Only these domains should transition to shell domain. This domain is
-# permissible for the "shell user". If you need a process to exec a shell
-# script with differing privilege, define a domain and set up a transition.
-#
-neverallow {
-  domain
-  -adbd
-  -init
-  -runas
-  -zygote
-} shell:process { transition dyntransition };
-
-# Minimize read access to shell- or app-writable symlinks.
-# This is to prevent malicious symlink attacks.
-neverallow {
-  domain
-  -appdomain
-  -installd
-  -uncrypt  # TODO: see if we can remove
-} app_data_file:lnk_file read;
-
-neverallow {
-  domain
-  -shell
-  userdebug_or_eng(`-uncrypt')
-  -installd
-} shell_data_file:lnk_file read;
-
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
-# not be trusting any content in those directories.
-neverallow {
-  domain
-  -adbd
-  -dumpstate
-  -installd
-  -init
-  -shell
-  -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
-  domain
-  -adbd
-  -appdomain
-  -dumpstate
-  -init
-  -installd
-  -system_server # why?
-  userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
-# Same as above for /data/local/tmp files. We allow shell files
-# to be passed around by file descriptor, but not directly opened.
-neverallow {
-  domain
-  -adbd
-  -appdomain
-  -dumpstate
-  -installd
-  userdebug_or_eng(`-uncrypt')
-} shell_data_file:file open;
-
-# servicemanager is the only process which handles list request
-neverallow * ~servicemanager:service_manager list;
-
-# only service_manager_types can be added to service_manager
-neverallow * ~service_manager_type:service_manager { add find };
-
-# Prevent assigning non property types to properties
-neverallow * ~property_type:property_service set;
-
-# Domain types should never be assigned to any files other
-# than the /proc/pid files associated with a process. The
-# executable file used to enter a domain should be labeled
-# with its own _exec type, not with the domain type.
-# Conventionally, this looks something like:
-# $ cat mydaemon.te
-# type mydaemon, domain;
-# type mydaemon_exec, exec_type, file_type;
-# init_daemon_domain(mydaemon)
-# $ grep mydaemon file_contexts
-# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
-neverallow * domain:file { execute execute_no_trans entrypoint };
-
-# Do not allow access to the generic debugfs label. This is too broad.
-# Instead, if access to part of debugfs is desired, it should have a
-# more specific label.
-# TODO: fix system_server and dumpstate
-neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
-
-neverallow {
-  domain
-  -init
-  -recovery
-  -sdcardd
-  -vold
-} fuse_device:chr_file open;
-neverallow {
-  domain
-  -dumpstate
-  -init
-  -priv_app
-  -recovery
-  -sdcardd
-  -system_server
-  -ueventd
-  -vold
-} fuse_device:chr_file *;
diff --git a/domain_deprecated.te b/domain_deprecated.te
deleted file mode 100644
index 88b62bd..0000000
--- a/domain_deprecated.te
+++ /dev/null
@@ -1,69 +0,0 @@
-# rules removed from the domain attribute
-
-# Read access to properties mapping.
-allow domain_deprecated kernel:fd use;
-allow domain_deprecated tmpfs:file { read getattr };
-allow domain_deprecated tmpfs:lnk_file { read getattr };
-
-# Search /storage/emulated tmpfs mount.
-allow domain_deprecated tmpfs:dir r_dir_perms;
-
-# Inherit or receive open files from others.
-allow domain_deprecated system_server:fd use;
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow domain_deprecated adbd:unix_stream_socket connectto;
-allow domain_deprecated adbd:fd use;
-allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-# Root fs.
-allow domain_deprecated rootfs:dir r_dir_perms;
-allow domain_deprecated rootfs:file r_file_perms;
-allow domain_deprecated rootfs:lnk_file r_file_perms;
-
-# Device accesses.
-allow domain_deprecated device:file read;
-
-# System file accesses.
-allow domain_deprecated system_file:dir r_dir_perms;
-allow domain_deprecated system_file:file r_file_perms;
-allow domain_deprecated system_file:lnk_file r_file_perms;
-
-# Read files already opened under /data.
-allow domain_deprecated system_data_file:dir { search getattr };
-allow domain_deprecated system_data_file:file { getattr read };
-allow domain_deprecated system_data_file:lnk_file r_file_perms;
-
-# Read apk files under /data/app.
-allow domain_deprecated apk_data_file:dir { getattr search };
-allow domain_deprecated apk_data_file:file r_file_perms;
-allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-
-# Read /data/dalvik-cache.
-allow domain_deprecated dalvikcache_data_file:dir { search getattr };
-allow domain_deprecated dalvikcache_data_file:file r_file_perms;
-
-# Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
-
-#Allow access to ion memory allocation device
-allow domain_deprecated ion_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(domain_deprecated, proc)
-r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, inotify)
-r_dir_file(domain_deprecated, cgroup)
-r_dir_file(domain_deprecated, proc_meminfo)
-r_dir_file(domain_deprecated, proc_net)
-
-# Get SELinux enforcing status.
-allow domain_deprecated selinuxfs:dir r_dir_perms;
-allow domain_deprecated selinuxfs:file r_file_perms;
-
-# World readable asec image contents
-allow domain_deprecated asec_public_file:file r_file_perms;
-allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
diff --git a/drmserver.te b/drmserver.te
deleted file mode 100644
index 3b654cc..0000000
--- a/drmserver.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# drmserver - DRM service
-type drmserver, domain, domain_deprecated;
-type drmserver_exec, exec_type, file_type;
-
-init_daemon_domain(drmserver)
-typeattribute drmserver mlstrustedsubject;
-
-net_domain(drmserver)
-
-# Perform Binder IPC to system server.
-binder_use(drmserver)
-binder_call(drmserver, system_server)
-binder_call(drmserver, appdomain)
-binder_service(drmserver)
-
-# Perform Binder IPC to mediaserver
-binder_call(drmserver, mediaserver)
-
-allow drmserver sdcard_type:dir search;
-allow drmserver drm_data_file:dir create_dir_perms;
-allow drmserver drm_data_file:file create_file_perms;
-allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver app_data_file:file { read write getattr };
-allow drmserver sdcard_type:file { read write getattr };
-r_dir_file(drmserver, efs_file)
-
-type drmserver_socket, file_type;
-
-# /data/app/tlcd_sock socket file.
-# Clearly, /data/app is the most logical place to create a socket.  Not.
-allow drmserver apk_data_file:dir rw_dir_perms;
-type_transition drmserver apk_data_file:sock_file drmserver_socket;
-allow drmserver drmserver_socket:sock_file create_file_perms;
-allow drmserver tee:unix_stream_socket connectto;
-# Delete old socket file if present.
-allow drmserver apk_data_file:sock_file unlink;
-
-# After taking a video, drmserver looks at the video file.
-r_dir_file(drmserver, media_rw_data_file)
-
-# Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr };
-allow drmserver asec_apk_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr };
-
-# /oem access
-allow drmserver oemfs:dir search;
-allow drmserver oemfs:file r_file_perms;
-
-allow drmserver drmserver_service:service_manager { add find };
-allow drmserver permission_service:service_manager find;
-
-selinux_check_access(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
deleted file mode 100644
index be9542f..0000000
--- a/dumpstate.te
+++ /dev/null
@@ -1,133 +0,0 @@
-# dumpstate
-type dumpstate, domain, domain_deprecated, mlstrustedsubject;
-type dumpstate_exec, exec_type, file_type;
-
-init_daemon_domain(dumpstate)
-net_domain(dumpstate)
-binder_use(dumpstate)
-
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-allow dumpstate self:capability { setuid setgid sys_resource };
-
-# Allow dumpstate to scan through /proc/pid for all processes
-r_dir_file(dumpstate, domain)
-
-# Send signals to processes
-allow dumpstate self:capability kill;
-
-# Allow executing files on system, such as:
-#   /system/bin/toolbox
-#   /system/bin/logcat
-#   /system/bin/dumpsys
-allow dumpstate system_file:file execute_no_trans;
-allow dumpstate toolbox_exec:file rx_file_perms;
-
-# Create and write into /data/anr/
-allow dumpstate self:capability { dac_override chown fowner fsetid };
-allow dumpstate anr_data_file:dir rw_dir_perms;
-allow dumpstate anr_data_file:file create_file_perms;
-
-# Allow reading /data/system/uiderrors.txt
-# TODO: scope this down.
-allow dumpstate system_data_file:file r_file_perms;
-
-# Read dmesg
-allow dumpstate self:capability2 syslog;
-allow dumpstate kernel:system syslog_read;
-
-# Read /sys/fs/pstore/console-ramoops
-allow dumpstate pstorefs:dir r_dir_perms;
-allow dumpstate pstorefs:file r_file_perms;
-
-# Get process attributes
-allow dumpstate domain:process getattr;
-
-# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server }:process signal;
-
-# Signal native processes to dump their stack.
-# This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
-# Ask debuggerd for the backtraces of these processes.
-allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
-
-# Execute and transition to the vdc domain
-domain_auto_trans(dumpstate, vdc_exec, vdc)
-
-# Vibrate the device after we're done collecting the bugreport
-# /sys/class/timed_output/vibrator/enable
-# TODO: create a new file class, instead of allowing write access to all of /sys
-allow dumpstate sysfs:file w_file_perms;
-
-# Other random bits of data we want to collect
-allow dumpstate qtaguid_proc:file r_file_perms;
-allow dumpstate debugfs:file r_file_perms;
-# df for /storage/emulated needs search
-allow dumpstate { storage_file block_device }:dir { search getattr };
-allow dumpstate fuse_device:chr_file getattr;
-allow dumpstate { dm_device cache_block_device }:blk_file getattr;
-
-# Allow dumpstate to make binder calls to any binder service
-binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, appdomain)
-
-# Reading /proc/PID/maps of other processes
-allow dumpstate self:capability sys_ptrace;
-
-# Allow the bugreport service to create a file in
-# /data/data/com.android.shell/files/bugreports/bugreport
-allow dumpstate shell_data_file:dir create_dir_perms;
-allow dumpstate shell_data_file:file create_file_perms;
-
-# Run a shell.
-allow dumpstate shell_exec:file rx_file_perms;
-
-# For running am and similar framework commands.
-# Run /system/bin/app_process.
-allow dumpstate zygote_exec:file rx_file_perms;
-# Dalvik Compiler JIT.
-allow dumpstate ashmem_device:chr_file execute;
-allow dumpstate dumpstate_tmpfs:file execute;
-allow dumpstate self:process execmem;
-# For art.
-allow dumpstate dalvikcache_data_file:file execute;
-allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
-
-# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
-allow dumpstate gpu_device:chr_file rw_file_perms;
-
-# logd access
-read_logd(dumpstate)
-control_logd(dumpstate)
-
-# Read network state info files.
-allow dumpstate net_data_file:dir search;
-allow dumpstate net_data_file:file r_file_perms;
-
-# Access /data/tombstones.
-allow dumpstate tombstone_data_file:dir r_dir_perms;
-allow dumpstate tombstone_data_file:file r_file_perms;
-
-# Access /cache/recovery
-allow dumpstate cache_recovery_file:dir r_dir_perms;
-allow dumpstate cache_recovery_file:file r_file_perms;
-
-# Access /data/misc/recovery
-allow dumpstate recovery_data_file:dir r_dir_perms;
-allow dumpstate recovery_data_file:file r_file_perms;
-
-allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
-allow dumpstate servicemanager:service_manager list;
-
-allow dumpstate devpts:chr_file rw_file_perms;
-
-# Set properties.
-# dumpstate_prop is used to share state with the Shell app.
-set_prop(dumpstate, dumpstate_prop)
-
-# systrace support - allow atrace to run
-allow dumpstate debugfs_tracing:dir r_dir_perms;
-allow dumpstate debugfs_tracing:file rw_file_perms;
-allow dumpstate debugfs_trace_marker:file getattr;
-allow dumpstate atrace_exec:file rx_file_perms;
diff --git a/file.te b/file.te
deleted file mode 100644
index b789e36..0000000
--- a/file.te
+++ /dev/null
@@ -1,237 +0,0 @@
-# Filesystem types
-type labeledfs, fs_type;
-type pipefs, fs_type;
-type sockfs, fs_type;
-type rootfs, fs_type;
-type proc, fs_type;
-# Security-sensitive proc nodes that should not be writable to most.
-type proc_security, fs_type;
-# Type for /proc/sys/vm/drop_caches
-type proc_drop_caches, fs_type;
-# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type, sysfs_type;
-type qtaguid_proc, fs_type, mlstrustedobject;
-type proc_bluetooth_writable, fs_type;
-type proc_cpuinfo, fs_type;
-type proc_iomem, fs_type;
-type proc_meminfo, fs_type;
-type proc_net, fs_type;
-type proc_sysrq, fs_type;
-type proc_uid_cputime_showstat, fs_type;
-type proc_uid_cputime_removeuid, fs_type;
-type selinuxfs, fs_type, mlstrustedobject;
-type cgroup, fs_type, mlstrustedobject;
-type sysfs, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_uio, sysfs_type, fs_type;
-type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_batteryinfo, fs_type, sysfs_type;
-type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_hwrandom, fs_type, sysfs_type;
-type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_wake_lock, fs_type, sysfs_type;
-type sysfs_mac_address, fs_type, sysfs_type;
-# /sys/devices/system/cpu
-type sysfs_devices_system_cpu, fs_type, sysfs_type;
-# /sys/module/lowmemorykiller
-type sysfs_lowmemorykiller, fs_type, sysfs_type;
-
-type sysfs_thermal, sysfs_type, fs_type;
-
-type sysfs_zram, fs_type, sysfs_type;
-type sysfs_zram_uevent, fs_type, sysfs_type;
-type inotify, fs_type, mlstrustedobject;
-type devpts, fs_type, mlstrustedobject;
-type tmpfs, fs_type;
-type shm, fs_type;
-type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
-type vfat, sdcard_type, fs_type, mlstrustedobject;
-typealias fuse alias sdcard_internal;
-typealias vfat alias sdcard_external;
-type debugfs, fs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type;
-type pstorefs, fs_type;
-type functionfs, fs_type;
-type oemfs, fs_type, contextmount_type;
-type usbfs, fs_type;
-type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
-
-# File types
-type unlabeled, file_type;
-# Default type for anything under /system.
-type system_file, file_type;
-# Type for /system/bin/logcat.
-type logcat_exec, exec_type, file_type;
-# /cores for coredumps on userdebug / eng builds
-type coredump_file, file_type;
-# Default type for anything under /data.
-type system_data_file, file_type, data_file_type;
-# Unencrypted data
-type unencrypted_data_file, file_type, data_file_type;
-# /data/.layout_version or other installd-created files that
-# are created in a system_data_file directory.
-type install_data_file, file_type, data_file_type;
-# /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type;
-# /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type;
-# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, mlstrustedobject;
-# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type;
-# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type;
-type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
-# /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
-# /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type;
-# /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type;
-# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, mlstrustedobject;
-# /data/gps
-type gps_data_file, file_type, data_file_type;
-# /data/property
-type property_data_file, file_type, data_file_type;
-# /data/bootchart
-type bootchart_data_file, file_type, data_file_type;
-# /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
-# /data/nativetest
-type nativetest_data_file, file_type, data_file_type;
-
-# Mount locations managed by vold
-type mnt_media_rw_file, file_type;
-type mnt_user_file, file_type;
-type mnt_expand_file, file_type;
-type storage_file, file_type;
-
-# Label for storage dirs which are just mount stubs
-type mnt_media_rw_stub_file, file_type;
-type storage_stub_file, file_type;
-
-# /postinstall: Mount point used by update_engine to run postinstall.
-type postinstall_mnt_dir, file_type;
-# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type, exec_type;
-
-# /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type;
-type audio_data_file, file_type, data_file_type;
-type bluetooth_data_file, file_type, data_file_type;
-type bootstat_data_file, file_type, data_file_type;
-type boottrace_data_file, file_type, data_file_type;
-type camera_data_file, file_type, data_file_type;
-type gatekeeper_data_file, file_type, data_file_type;
-type keychain_data_file, file_type, data_file_type;
-type keystore_data_file, file_type, data_file_type;
-type media_data_file, file_type, data_file_type;
-type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type;
-type net_data_file, file_type, data_file_type;
-type nfc_data_file, file_type, data_file_type;
-type radio_data_file, file_type, data_file_type, mlstrustedobject;
-type recovery_data_file, file_type, data_file_type;
-type shared_relro_file, file_type, data_file_type;
-type systemkeys_data_file, file_type, data_file_type;
-type vpn_data_file, file_type, data_file_type;
-type wifi_data_file, file_type, data_file_type;
-type zoneinfo_data_file, file_type, data_file_type;
-type vold_data_file, file_type, data_file_type;
-type perfprofd_data_file, file_type, data_file_type, mlstrustedobject;
-# /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, mlstrustedobject;
-
-# Compatibility with type names used in vanilla Android 4.3 and 4.4.
-typealias audio_data_file alias audio_firmware_file;
-# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type;
-# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, mlstrustedobject;
-# Compatibility with type name used in Android 4.3 and 4.4.
-typealias app_data_file alias platform_app_data_file;
-typealias app_data_file alias download_file;
-# Default type for anything under /cache
-type cache_file, file_type, mlstrustedobject;
-# Type for /cache/.*\.{data|restore} and default
-# type for anything under /cache/backup
-type cache_backup_file, file_type, mlstrustedobject;
-# Type for anything under /cache/recovery
-type cache_recovery_file, file_type, mlstrustedobject;
-# Default type for anything under /efs
-type efs_file, file_type;
-# Type for wallpaper file.
-type wallpaper_file, file_type, mlstrustedobject;
-# /mnt/asec
-type asec_apk_file, file_type, data_file_type, mlstrustedobject;
-# Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type;
-# /data/app-asec
-type asec_image_file, file_type, data_file_type;
-# /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, mlstrustedobject;
-# All devices have bluetooth efs files. But they
-# vary per device, so this type is used in per
-# device policy
-type bluetooth_efs_file, file_type;
-# Type for fingerprint template file.
-type fingerprintd_data_file, file_type, data_file_type;
-# Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, mlstrustedobject;
-
-# Socket types
-type adbd_socket, file_type;
-type bluetooth_socket, file_type;
-type dnsproxyd_socket, file_type, mlstrustedobject;
-type dumpstate_socket, file_type;
-type fwmarkd_socket, file_type, mlstrustedobject;
-type gps_socket, file_type;
-type installd_socket, file_type;
-type lmkd_socket, file_type;
-type logd_socket, file_type, mlstrustedobject;
-type logdr_socket, file_type, mlstrustedobject;
-type logdw_socket, file_type, mlstrustedobject;
-type mdns_socket, file_type;
-type mdnsd_socket, file_type, mlstrustedobject;
-type misc_logd_file, file_type;
-type mtpd_socket, file_type;
-type netd_socket, file_type;
-type property_socket, file_type;
-type racoon_socket, file_type;
-type rild_socket, file_type;
-type rild_debug_socket, file_type;
-type system_wpa_socket, file_type;
-type system_ndebug_socket, file_type;
-type vold_socket, file_type;
-type wpa_socket, file_type;
-type zygote_socket, file_type;
-type sap_uim_socket, file_type;
-# UART (for GPS) control proc file
-type gps_control, file_type;
-
-# property_contexts file
-type property_contexts, file_type;
-
-# Allow files to be created in their appropriate filesystems.
-allow fs_type self:filesystem associate;
-allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type debugfs:filesystem associate;
-allow file_type labeledfs:filesystem associate;
-allow file_type tmpfs:filesystem associate;
-allow file_type rootfs:filesystem associate;
-allow dev_type tmpfs:filesystem associate;
-allow app_fuse_file app_fusefs:filesystem associate;
-allow postinstall_file self:filesystem associate;
-
-# It's a bug to assign the file_type attribute and fs_type attribute
-# to any type. Do not allow it.
-#
-# For example, the following is a bug:
-#   type apk_data_file, file_type, data_file_type, fs_type;
-# Should be:
-#   type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem associate;
diff --git a/file_contexts b/file_contexts
deleted file mode 100644
index 83d87e1..0000000
--- a/file_contexts
+++ /dev/null
@@ -1,357 +0,0 @@
-###########################################
-# Root
-/                   u:object_r:rootfs:s0
-
-# Data files
-/adb_keys           u:object_r:adb_keys_file:s0
-/build\.prop        u:object_r:rootfs:s0
-/default\.prop      u:object_r:rootfs:s0
-/fstab\..*          u:object_r:rootfs:s0
-/init\..*           u:object_r:rootfs:s0
-/res(/.*)?          u:object_r:rootfs:s0
-/selinux_version    u:object_r:rootfs:s0
-/ueventd\..*        u:object_r:rootfs:s0
-/verity_key         u:object_r:rootfs:s0
-
-# Executables
-/charger            u:object_r:rootfs:s0
-/init               u:object_r:init_exec:s0
-/sbin(/.*)?         u:object_r:rootfs:s0
-
-# Empty directories
-/lost\+found        u:object_r:rootfs:s0
-/acct               u:object_r:cgroup:s0
-/config             u:object_r:rootfs:s0
-/mnt                u:object_r:tmpfs:s0
-/postinstall        u:object_r:postinstall_mnt_dir:s0
-/proc               u:object_r:rootfs:s0
-/root               u:object_r:rootfs:s0
-/sys                u:object_r:sysfs:s0
-
-# Symlinks
-/d                  u:object_r:rootfs:s0
-/etc                u:object_r:rootfs:s0
-/sdcard             u:object_r:rootfs:s0
-
-# SELinux policy files
-/file_contexts\.bin u:object_r:rootfs:s0
-/property_contexts  u:object_r:property_contexts:s0
-/seapp_contexts     u:object_r:rootfs:s0
-/sepolicy           u:object_r:rootfs:s0
-/service_contexts   u:object_r:rootfs:s0
-
-##########################
-# Devices
-#
-/dev(/.*)?		u:object_r:device:s0
-/dev/akm8973.*		u:object_r:sensors_device:s0
-/dev/accelerometer	u:object_r:sensors_device:s0
-/dev/adf[0-9]*		u:object_r:graphics_device:s0
-/dev/adf-interface[0-9]*\.[0-9]*	u:object_r:graphics_device:s0
-/dev/adf-overlay-engine[0-9]*\.[0-9]*	u:object_r:graphics_device:s0
-/dev/alarm		u:object_r:alarm_device:s0
-/dev/android_adb.*	u:object_r:adb_device:s0
-/dev/ashmem		u:object_r:ashmem_device:s0
-/dev/audio.*		u:object_r:audio_device:s0
-/dev/binder		u:object_r:binder_device:s0
-/dev/block(/.*)?	u:object_r:block_device:s0
-/dev/block/dm-[0-9]+	u:object_r:dm_device:s0
-/dev/block/loop[0-9]*	u:object_r:loop_device:s0
-/dev/block/vold/.+	u:object_r:vold_device:s0
-/dev/block/ram[0-9]*	u:object_r:ram_device:s0
-/dev/block/zram[0-9]*	u:object_r:ram_device:s0
-/dev/bus/usb(.*)?       u:object_r:usb_device:s0
-/dev/cam		u:object_r:video_device:s0
-/dev/console		u:object_r:console_device:s0
-/dev/cpuctl(/.*)?	u:object_r:cpuctl_device:s0
-/dev/device-mapper	u:object_r:dm_device:s0
-/dev/eac		u:object_r:audio_device:s0
-/dev/fscklogs(/.*)?	u:object_r:fscklogs:s0
-/dev/full		u:object_r:full_device:s0
-/dev/fuse		u:object_r:fuse_device:s0
-/dev/graphics(/.*)?	u:object_r:graphics_device:s0
-/dev/hw_random		u:object_r:hw_random_device:s0
-/dev/i2c-[0-9]+		u:object_r:i2c_device:s0
-/dev/input(/.*)		u:object_r:input_device:s0
-/dev/iio:device[0-9]+   u:object_r:iio_device:s0
-/dev/ion		u:object_r:ion_device:s0
-/dev/kmem		u:object_r:kmem_device:s0
-/dev/log(/.*)?		u:object_r:log_device:s0
-/dev/mem		u:object_r:kmem_device:s0
-/dev/modem.*		u:object_r:radio_device:s0
-/dev/mpu		u:object_r:gps_device:s0
-/dev/mpuirq		u:object_r:gps_device:s0
-/dev/mtd(/.*)?		u:object_r:mtd_device:s0
-/dev/mtp_usb		u:object_r:mtp_device:s0
-/dev/pmsg0		u:object_r:pmsg_device:s0
-/dev/pn544		u:object_r:nfc_device:s0
-/dev/ppp		u:object_r:ppp_device:s0
-/dev/ptmx		u:object_r:ptmx_device:s0
-/dev/pvrsrvkm		u:object_r:gpu_device:s0
-/dev/kmsg		u:object_r:kmsg_device:s0
-/dev/null		u:object_r:null_device:s0
-/dev/nvhdcp1		u:object_r:video_device:s0
-/dev/random		u:object_r:random_device:s0
-/dev/rpmsg-omx[0-9]	u:object_r:rpmsg_device:s0
-/dev/rproc_user	u:object_r:rpmsg_device:s0
-/dev/rtc[0-9]      u:object_r:rtc_device:s0
-/dev/snd(/.*)?		u:object_r:audio_device:s0
-/dev/socket(/.*)?	u:object_r:socket_device:s0
-/dev/socket/adbd	u:object_r:adbd_socket:s0
-/dev/socket/sap_uim_socket[0-9]        u:object_r:sap_uim_socket:s0
-/dev/socket/cryptd	u:object_r:vold_socket:s0
-/dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
-/dev/socket/dumpstate	u:object_r:dumpstate_socket:s0
-/dev/socket/fwmarkd	u:object_r:fwmarkd_socket:s0
-/dev/socket/gps		u:object_r:gps_socket:s0
-/dev/socket/installd	u:object_r:installd_socket:s0
-/dev/socket/lmkd        u:object_r:lmkd_socket:s0
-/dev/socket/logd	u:object_r:logd_socket:s0
-/dev/socket/logdr	u:object_r:logdr_socket:s0
-/dev/socket/logdw	u:object_r:logdw_socket:s0
-/dev/socket/mdns	u:object_r:mdns_socket:s0
-/dev/socket/mdnsd	u:object_r:mdnsd_socket:s0
-/dev/socket/mtpd	u:object_r:mtpd_socket:s0
-/dev/socket/netd	u:object_r:netd_socket:s0
-/dev/socket/property_service	u:object_r:property_socket:s0
-/dev/socket/racoon	u:object_r:racoon_socket:s0
-/dev/socket/rild	u:object_r:rild_socket:s0
-/dev/socket/rild-debug	u:object_r:rild_debug_socket:s0
-/dev/socket/vold	u:object_r:vold_socket:s0
-/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
-/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
-/dev/socket/zygote	u:object_r:zygote_socket:s0
-/dev/socket/zygote_secondary	u:object_r:zygote_socket:s0
-/dev/spdif_out.*	u:object_r:audio_device:s0
-/dev/tegra.*		u:object_r:video_device:s0
-/dev/tf_driver		u:object_r:tee_device:s0
-/dev/tty		u:object_r:owntty_device:s0
-/dev/tty[0-9]*		u:object_r:tty_device:s0
-/dev/ttyS[0-9]*		u:object_r:serial_device:s0
-/dev/tun		u:object_r:tun_device:s0
-/dev/uhid		u:object_r:uhid_device:s0
-/dev/uinput		u:object_r:uhid_device:s0
-/dev/uio[0-9]*		u:object_r:uio_device:s0
-/dev/urandom		u:object_r:urandom_device:s0
-/dev/usb_accessory	u:object_r:usbaccessory_device:s0
-/dev/vcs[0-9a-z]*	u:object_r:vcs_device:s0
-/dev/video[0-9]*	u:object_r:video_device:s0
-/dev/watchdog		u:object_r:watchdog_device:s0
-/dev/xt_qtaguid	u:object_r:qtaguid_device:s0
-/dev/zero		u:object_r:zero_device:s0
-/dev/__kmsg__		u:object_r:klog_device:s0
-/dev/__properties__ u:object_r:properties_device:s0
-#############################
-# System files
-#
-/system(/.*)?		u:object_r:system_file:s0
-/system/bin/atrace	u:object_r:atrace_exec:s0
-/system/bin/e2fsck	--	u:object_r:fsck_exec:s0
-/system/bin/fsck\.f2fs	--	u:object_r:fsck_exec:s0
-/system/bin/fsck_msdos	--	u:object_r:fsck_exec:s0
-/system/bin/toolbox	--	u:object_r:toolbox_exec:s0
-/system/bin/toybox	--	u:object_r:toolbox_exec:s0
-/system/bin/logcat	--	u:object_r:logcat_exec:s0
-/system/bin/sh		--	u:object_r:shell_exec:s0
-/system/bin/run-as	--	u:object_r:runas_exec:s0
-/system/bin/bootanimation u:object_r:bootanim_exec:s0
-/system/bin/bootstat		u:object_r:bootstat_exec:s0
-/system/bin/app_process32	u:object_r:zygote_exec:s0
-/system/bin/app_process64	u:object_r:zygote_exec:s0
-/system/bin/servicemanager	u:object_r:servicemanager_exec:s0
-/system/bin/surfaceflinger	u:object_r:surfaceflinger_exec:s0
-/system/bin/drmserver	u:object_r:drmserver_exec:s0
-/system/bin/dumpstate   u:object_r:dumpstate_exec:s0
-/system/bin/vold	u:object_r:vold_exec:s0
-/system/bin/netd	u:object_r:netd_exec:s0
-/system/bin/rild	u:object_r:rild_exec:s0
-/system/bin/mediaserver	u:object_r:mediaserver_exec:s0
-/system/bin/mdnsd	u:object_r:mdnsd_exec:s0
-/system/bin/installd	u:object_r:installd_exec:s0
-/system/bin/keystore	u:object_r:keystore_exec:s0
-/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
-/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
-/system/bin/debuggerd	u:object_r:debuggerd_exec:s0
-/system/bin/debuggerd64	u:object_r:debuggerd_exec:s0
-/system/bin/wpa_supplicant	u:object_r:wpa_exec:s0
-/system/bin/recovery-persist     u:object_r:recovery_persist_exec:s0
-/system/bin/recovery-refresh     u:object_r:recovery_refresh_exec:s0
-/system/bin/sdcard      u:object_r:sdcardd_exec:s0
-/system/bin/dhcpcd      u:object_r:dhcp_exec:s0
-/system/bin/dhcpcd-6.8.2	u:object_r:dhcp_exec:s0
-/system/bin/mtpd	u:object_r:mtp_exec:s0
-/system/bin/pppd	u:object_r:ppp_exec:s0
-/system/bin/tf_daemon	u:object_r:tee_exec:s0
-/system/bin/racoon	u:object_r:racoon_exec:s0
-/system/xbin/su		u:object_r:su_exec:s0
-/system/xbin/perfprofd  u:object_r:perfprofd_exec:s0
-/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
-/system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
-/system/bin/hostapd     u:object_r:hostapd_exec:s0
-/system/bin/clatd	u:object_r:clatd_exec:s0
-/system/bin/lmkd        u:object_r:lmkd_exec:s0
-/system/bin/inputflinger u:object_r:inputflinger_exec:s0
-/system/bin/logd        u:object_r:logd_exec:s0
-/system/bin/uncrypt     u:object_r:uncrypt_exec:s0
-/system/bin/update_verifier u:object_r:update_verifier_exec:s0
-/system/bin/logwrapper  u:object_r:system_file:s0
-/system/bin/vdc         u:object_r:vdc_exec:s0
-/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
-/system/bin/dex2oat     u:object_r:dex2oat_exec:s0
-# patchoat executable has (essentially) the same requirements as dex2oat.
-/system/bin/patchoat    u:object_r:dex2oat_exec:s0
-/system/bin/sgdisk      u:object_r:sgdisk_exec:s0
-/system/bin/blkid       u:object_r:blkid_exec:s0
-/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
-/system/bin/idmap u:object_r:idmap_exec:s0
-/system/bin/update_engine        u:object_r:update_engine_exec:s0
-/system/bin/bspatch              u:object_r:update_engine_exec:s0
-
-#############################
-# Vendor files
-#
-/vendor(/.*)?		u:object_r:system_file:s0
-/vendor/bin/gpsd	u:object_r:gpsd_exec:s0
-
-#############################
-# OEM and ODM files
-#
-/odm(/.*)?              u:object_r:system_file:s0
-/oem(/.*)?              u:object_r:oemfs:s0
-
-
-#############################
-# Data files
-#
-# NOTE: When modifying existing label rules, changes may also need to
-# propagate to the "Expanded data files" section.
-#
-/data(/.*)?		u:object_r:system_data_file:s0
-/data/.layout_version		u:object_r:install_data_file:s0
-/data/unencrypted(/.*)?         u:object_r:unencrypted_data_file:s0
-/data/backup(/.*)?		u:object_r:backup_data_file:s0
-/data/secure/backup(/.*)?	u:object_r:backup_data_file:s0
-/data/system/ndebugsocket	u:object_r:system_ndebug_socket:s0
-/data/drm(/.*)?		u:object_r:drm_data_file:s0
-/data/gps(/.*)?		u:object_r:gps_data_file:s0
-/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
-/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/adb(/.*)?		u:object_r:adb_data_file:s0
-/data/anr(/.*)?		u:object_r:anr_data_file:s0
-/data/app(/.*)?                       u:object_r:apk_data_file:s0
-/data/app/[^/]+/oat(/.*)?                u:object_r:dalvikcache_data_file:s0
-/data/app/vmdl[^/]+\.tmp(/.*)?           u:object_r:apk_tmp_file:s0
-/data/app/vmdl[^/]+\.tmp/oat(/.*)?           u:object_r:dalvikcache_data_file:s0
-/data/app-private(/.*)?               u:object_r:apk_private_data_file:s0
-/data/app-private/vmdl.*\.tmp(/.*)?   u:object_r:apk_private_tmp_file:s0
-/data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
-/data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
-/data/media(/.*)?	u:object_r:media_rw_data_file:s0
-/data/mediadrm(/.*)?	u:object_r:media_data_file:s0
-/data/nativetest(/.*)?	u:object_r:nativetest_data_file:s0
-/data/property(/.*)?	u:object_r:property_data_file:s0
-
-# Misc data
-/data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
-/data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
-/data/misc/bootstat(/.*)?       u:object_r:bootstat_data_file:s0
-/data/misc/boottrace(/.*)?      u:object_r:boottrace_data_file:s0
-/data/misc/bluetooth(/.*)?      u:object_r:bluetooth_data_file:s0
-/data/misc/bluedroid(/.*)?      u:object_r:bluetooth_data_file:s0
-/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
-/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
-/data/misc/camera(/.*)?         u:object_r:camera_data_file:s0
-/data/misc/dhcp(/.*)?           u:object_r:dhcp_data_file:s0
-/data/misc/dhcp-6.8.2(/.*)?     u:object_r:dhcp_data_file:s0
-/data/misc/gatekeeper(/.*)?     u:object_r:gatekeeper_data_file:s0
-/data/misc/keychain(/.*)?       u:object_r:keychain_data_file:s0
-/data/misc/keystore(/.*)?       u:object_r:keystore_data_file:s0
-/data/misc/logd(/.*)?           u:object_r:misc_logd_file:s0
-/data/misc/media(/.*)?          u:object_r:media_data_file:s0
-/data/misc/net(/.*)?            u:object_r:net_data_file:s0
-/data/misc/recovery(/.*)?       u:object_r:recovery_data_file:s0
-/data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
-/data/misc/sms(/.*)?            u:object_r:radio_data_file:s0
-/data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
-/data/misc/user(/.*)?           u:object_r:misc_user_data_file:s0
-/data/misc/vpn(/.*)?            u:object_r:vpn_data_file:s0
-/data/misc/wifi(/.*)?           u:object_r:wifi_data_file:s0
-/data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0
-/data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
-/data/misc/wifi/hostapd(/.*)?   u:object_r:wpa_socket:s0
-/data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
-/data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
-/data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
-/data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
-/data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
-/data/misc/trace(/.*)?          u:object_r:method_trace_data_file:s0
-
-# Fingerprint data
-/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
-
-# Bootchart data
-/data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
-
-#############################
-# Expanded data files
-#
-/mnt/expand(/.*)?                                   u:object_r:mnt_expand_file:s0
-/mnt/expand/[^/]+(/.*)?                             u:object_r:system_data_file:s0
-/mnt/expand/[^/]+/app(/.*)?                         u:object_r:apk_data_file:s0
-/mnt/expand/[^/]+/app/[^/]+/oat(/.*)?               u:object_r:dalvikcache_data_file:s0
-/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)?          u:object_r:apk_tmp_file:s0
-/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)?      u:object_r:dalvikcache_data_file:s0
-/mnt/expand/[^/]+/local/tmp(/.*)?                   u:object_r:shell_data_file:s0
-/mnt/expand/[^/]+/media(/.*)?                       u:object_r:media_rw_data_file:s0
-/mnt/expand/[^/]+/misc/vold(/.*)?                   u:object_r:vold_data_file:s0
-
-# coredump directory for userdebug/eng devices
-/cores(/.*)?                    u:object_r:coredump_file:s0
-
-# Wallpaper file for other users
-/data/system/users/[0-9]+/wallpaper		u:object_r:wallpaper_file:s0
-#############################
-# efs files
-#
-/efs(/.*)?		u:object_r:efs_file:s0
-#############################
-# Cache files
-#
-/cache(/.*)?		u:object_r:cache_file:s0
-/cache/.*\.data	u:object_r:cache_backup_file:s0
-/cache/.*\.restore	u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this directory
-/cache/backup(/.*)?	u:object_r:cache_backup_file:s0
-/cache/recovery(/.*)?	u:object_r:cache_recovery_file:s0
-#############################
-# sysfs files
-#
-/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
-/sys/devices/system/cpu(/.*)?    u:object_r:sysfs_devices_system_cpu:s0
-/sys/devices/virtual/block/zram\d+(/.*)?     u:object_r:sysfs_zram:s0
-/sys/devices/virtual/block/zram\d+/uevent    u:object_r:sysfs_zram_uevent:s0
-/sys/devices/virtual/misc/hw_random(/.*)?    u:object_r:sysfs_hwrandom:s0
-/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
-/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
-/sys/kernel/uevent_helper --	u:object_r:usermodehelper:s0
-/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
-
-#############################
-# debugfs files
-#
-/sys/kernel/debug/tracing(/.*)?          u:object_r:debugfs_tracing:s0
-/sys/kernel/debug/tracing/trace_marker   u:object_r:debugfs_trace_marker:s0
-
-#############################
-# asec containers
-/mnt/asec(/.*)?             u:object_r:asec_apk_file:s0
-/mnt/asec/[^/]+/[^/]+\.zip  u:object_r:asec_public_file:s0
-/mnt/asec/[^/]+/lib(/.*)?   u:object_r:asec_public_file:s0
-/data/app-asec(/.*)?        u:object_r:asec_image_file:s0
-
-#############################
-# external storage
-/mnt/media_rw(/.*)?         u:object_r:mnt_media_rw_file:s0
-/mnt/user(/.*)?             u:object_r:mnt_user_file:s0
-/mnt/runtime(/.*)?          u:object_r:storage_file:s0
-/storage(/.*)?              u:object_r:storage_file:s0
diff --git a/file_contexts_asan b/file_contexts_asan
deleted file mode 100644
index 5813d32..0000000
--- a/file_contexts_asan
+++ /dev/null
@@ -1,4 +0,0 @@
-/data/lib(/.*)?                u:object_r:system_file:s0
-/data/lib64(/.*)?              u:object_r:system_file:s0
-/data/vendor/lib(/.*)?         u:object_r:system_file:s0
-/data/vendor/lib64(/.*)?       u:object_r:system_file:s0
diff --git a/fingerprintd.te b/fingerprintd.te
deleted file mode 100644
index 1c0ab1c..0000000
--- a/fingerprintd.te
+++ /dev/null
@@ -1,23 +0,0 @@
-type fingerprintd, domain, domain_deprecated;
-type fingerprintd_exec, exec_type, file_type;
-
-# fingerprintd
-init_daemon_domain(fingerprintd)
-binder_use(fingerprintd)
-
-# need to find KeyStore and add self
-allow fingerprintd fingerprintd_service:service_manager { add find };
-
-# allow HAL module to read dir contents
-allow fingerprintd fingerprintd_data_file:file { create_file_perms };
-
-# allow HAL module to read/write/unlink contents of this dir
-allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
-
-# Need to add auth tokens to KeyStore
-use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
-
-# For permissions checking
-binder_call(fingerprintd, system_server);
-allow fingerprintd permission_service:service_manager find;
diff --git a/fs_use b/fs_use
deleted file mode 100644
index 4bd1112..0000000
--- a/fs_use
+++ /dev/null
@@ -1,23 +0,0 @@
-# Label inodes via getxattr.
-fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
-fs_use_xattr jffs2 u:object_r:labeledfs:s0;
-fs_use_xattr ext2 u:object_r:labeledfs:s0;
-fs_use_xattr ext3 u:object_r:labeledfs:s0;
-fs_use_xattr ext4 u:object_r:labeledfs:s0;
-fs_use_xattr xfs u:object_r:labeledfs:s0;
-fs_use_xattr btrfs u:object_r:labeledfs:s0;
-fs_use_xattr f2fs u:object_r:labeledfs:s0;
-fs_use_xattr squashfs u:object_r:labeledfs:s0;
-
-# Label inodes from task label.
-fs_use_task pipefs u:object_r:pipefs:s0;
-fs_use_task sockfs u:object_r:sockfs:s0;
-
-# Label inodes from combination of task label and fs label.
-# Define type_transition rules if you want per-domain types.
-fs_use_trans devpts u:object_r:devpts:s0;
-fs_use_trans tmpfs u:object_r:tmpfs:s0;
-fs_use_trans devtmpfs u:object_r:device:s0;
-fs_use_trans shm u:object_r:shm:s0;
-fs_use_trans mqueue u:object_r:mqueue:s0;
-
diff --git a/fsck.te b/fsck.te
deleted file mode 100644
index d5a6db1..0000000
--- a/fsck.te
+++ /dev/null
@@ -1,47 +0,0 @@
-# Any fsck program run by init
-type fsck, domain, domain_deprecated;
-type fsck_exec, exec_type, file_type;
-
-init_daemon_domain(fsck)
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow fsck tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck vold:fd use;
-allow fsck vold:fifo_file { read write getattr };
-
-# Run fsck on certain block devices
-allow fsck block_device:dir search;
-allow fsck userdata_block_device:blk_file rw_file_perms;
-allow fsck cache_block_device:blk_file rw_file_perms;
-allow fsck dm_device:blk_file rw_file_perms;
-
-# fsck performs a stat() on swap to verify that it is a valid
-# swap device before setting the EXT2_MF_SWAP mount flag.
-allow fsck swap_block_device:blk_file getattr;
-
-###
-### neverallow rules
-###
-
-# fsck should never be run on these block devices
-neverallow fsck {
-  boot_block_device
-  frp_block_device
-  metadata_block_device
-  recovery_block_device
-  root_block_device
-  swap_block_device
-  system_block_device
-  vold_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from init or vold via fsck binaries
-neverallow { domain -init -vold } fsck:process transition;
-neverallow * fsck:process dyntransition;
-neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/fsck_untrusted.te b/fsck_untrusted.te
deleted file mode 100644
index 00faa20..0000000
--- a/fsck_untrusted.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain, domain_deprecated;
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck_untrusted vold:fd use;
-allow fsck_untrusted vold:fifo_file { read write getattr };
-
-# Run fsck on vold block devices
-allow fsck_untrusted block_device:dir search;
-allow fsck_untrusted vold_device:blk_file rw_file_perms;
-
-###
-### neverallow rules
-###
-
-# Untrusted fsck should never be run on block devices holding sensitive data
-neverallow fsck_untrusted {
-  boot_block_device
-  frp_block_device
-  metadata_block_device
-  recovery_block_device
-  root_block_device
-  swap_block_device
-  system_block_device
-  userdata_block_device
-  cache_block_device
-  dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via fsck binaries
-neverallow { domain -vold } fsck_untrusted:process transition;
-neverallow * fsck_untrusted:process dyntransition;
-neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/gatekeeperd.te b/gatekeeperd.te
deleted file mode 100644
index 81d7fdf..0000000
--- a/gatekeeperd.te
+++ /dev/null
@@ -1,27 +0,0 @@
-type gatekeeperd, domain, domain_deprecated;
-type gatekeeperd_exec, exec_type, file_type;
-
-# gatekeeperd
-init_daemon_domain(gatekeeperd)
-binder_service(gatekeeperd)
-binder_use(gatekeeperd)
-allow gatekeeperd tee_device:chr_file rw_file_perms;
-
-# need to find KeyStore and add self
-allow gatekeeperd gatekeeper_service:service_manager { add find };
-
-# Need to add auth tokens to KeyStore
-use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
-
-# For permissions checking
-allow gatekeeperd system_server:binder call;
-allow gatekeeperd permission_service:service_manager find;
-# For parent user ID lookup
-allow gatekeeperd user_service:service_manager find;
-
-# for SID file access
-allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
-allow gatekeeperd gatekeeper_data_file:file create_file_perms;
-
-neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
diff --git a/genfs_contexts b/genfs_contexts
deleted file mode 100644
index 2700a94..0000000
--- a/genfs_contexts
+++ /dev/null
@@ -1,41 +0,0 @@
-# Label inodes with the fs label.
-genfscon rootfs / u:object_r:rootfs:s0
-# proc labeling can be further refined (longest matching prefix).
-genfscon proc / u:object_r:proc:s0
-genfscon proc /iomem u:object_r:proc_iomem:s0
-genfscon proc /meminfo u:object_r:proc_meminfo:s0
-genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
-genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
-genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
-genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
-genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
-genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
-genfscon proc /sys/net u:object_r:proc_net:s0
-genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
-genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
-genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
-genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
-
-# selinuxfs booleans can be individually labeled.
-genfscon selinuxfs / u:object_r:selinuxfs:s0
-genfscon cgroup / u:object_r:cgroup:s0
-# sysfs labels can be set by userspace.
-genfscon sysfs / u:object_r:sysfs:s0
-genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:vfat:s0
-genfscon debugfs / u:object_r:debugfs:s0
-genfscon fuse / u:object_r:fuse:s0
-genfscon pstore / u:object_r:pstorefs:s0
-genfscon functionfs / u:object_r:functionfs:s0
-genfscon usbfs / u:object_r:usbfs:s0
-genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
diff --git a/global_macros b/global_macros
deleted file mode 100644
index 0534e46..0000000
--- a/global_macros
+++ /dev/null
@@ -1,46 +0,0 @@
-#####################################
-# Common groupings of object classes.
-#
-define(`capability_class_set', `{ capability capability2 }')
-
-define(`devfile_class_set', `{ chr_file blk_file }')
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
-define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
-define(`dir_file_class_set', `{ dir file_class_set }')
-
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
-define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
-
-define(`ipc_class_set', `{ sem msgq shm ipc }')
-
-#####################################
-# Common groupings of permissions.
-#
-define(`x_file_perms', `{ getattr execute execute_no_trans }')
-define(`r_file_perms', `{ getattr open read ioctl lock }')
-define(`w_file_perms', `{ open append write lock }')
-define(`rx_file_perms', `{ r_file_perms x_file_perms }')
-define(`ra_file_perms', `{ r_file_perms append }')
-define(`rw_file_perms', `{ r_file_perms w_file_perms }')
-define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
-define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
-
-define(`r_dir_perms', `{ open getattr read search ioctl lock }')
-define(`w_dir_perms', `{ open search write add_name remove_name lock }')
-define(`ra_dir_perms', `{ r_dir_perms add_name write }')
-define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
-define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
-
-define(`r_ipc_perms', `{ getattr read associate unix_read }')
-define(`w_ipc_perms', `{ write unix_write }')
-define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
-define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
-
-#####################################
-# Common socket permission sets.
-define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }')
-define(`create_socket_perms', `{ create rw_socket_perms }')
-define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
-define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/gpsd.te b/gpsd.te
deleted file mode 100644
index 4b22223..0000000
--- a/gpsd.te
+++ /dev/null
@@ -1,29 +0,0 @@
-# gpsd - GPS daemon
-type gpsd, domain;
-type gpsd_exec, exec_type, file_type;
-
-init_daemon_domain(gpsd)
-net_domain(gpsd)
-allow gpsd gps_data_file:dir rw_dir_perms;
-allow gpsd gps_data_file:notdevfile_class_set create_file_perms;
-# Socket is created by the daemon, not by init, and under /data/gps,
-# not under /dev/socket.
-type_transition gpsd gps_data_file:sock_file gps_socket;
-allow gpsd gps_socket:sock_file create_file_perms;
-# XXX Label sysfs files with a specific type?
-allow gpsd sysfs:file rw_file_perms;
-
-allow gpsd gps_device:chr_file rw_file_perms;
-
-# Execute the shell or system commands.
-allow gpsd shell_exec:file rx_file_perms;
-allow gpsd system_file:file rx_file_perms;
-allow gpsd toolbox_exec:file rx_file_perms;
-
-###
-### neverallow
-###
-
-# gpsd can never have capabilities other than block_suspend
-neverallow gpsd self:capability *;
-neverallow gpsd self:capability2 ~block_suspend;
diff --git a/hci_attach.te b/hci_attach.te
deleted file mode 100644
index 543cae1..0000000
--- a/hci_attach.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type hci_attach, domain, domain_deprecated;
-type hci_attach_exec, exec_type, file_type;
-
-init_daemon_domain(hci_attach)
-
-allow hci_attach kernel:system module_request;
-allow hci_attach hci_attach_dev:chr_file rw_file_perms;
-allow hci_attach bluetooth_efs_file:dir r_dir_perms;
-allow hci_attach bluetooth_efs_file:file r_file_perms;
diff --git a/healthd.te b/healthd.te
deleted file mode 100644
index f54d716..0000000
--- a/healthd.te
+++ /dev/null
@@ -1,48 +0,0 @@
-# healthd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type healthd, domain, domain_deprecated;
-
-# Write to /dev/kmsg
-allow healthd kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(healthd, sysfs)
-
-allow healthd self:capability { net_admin sys_tty_config };
-wakelock_use(healthd)
-allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
-binder_use(healthd)
-binder_service(healthd)
-binder_call(healthd, system_server)
-
-# Write to state file.
-# TODO:  Split into a separate type?
-allow healthd sysfs:file write;
-
-allow healthd sysfs_batteryinfo:file r_file_perms;
-
-###
-### healthd: charger mode
-###
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow healthd pstorefs:dir r_dir_perms;
-allow healthd pstorefs:file r_file_perms;
-
-allow healthd graphics_device:dir r_dir_perms;
-allow healthd graphics_device:chr_file rw_file_perms;
-allow healthd input_device:dir r_dir_perms;
-allow healthd input_device:chr_file r_file_perms;
-allow healthd tty_device:chr_file rw_file_perms;
-allow healthd ashmem_device:chr_file execute;
-allow healthd self:process execmem;
-allow healthd proc_sysrq:file rw_file_perms;
-allow healthd self:capability sys_boot;
-
-allow healthd batteryproperties_service:service_manager { add find };
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
diff --git a/hostapd.te b/hostapd.te
deleted file mode 100644
index 204a0d9..0000000
--- a/hostapd.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# userspace wifi access points
-type hostapd, domain, domain_deprecated;
-type hostapd_exec, exec_type, file_type;
-
-net_domain(hostapd)
-
-allow hostapd self:capability { net_admin net_raw setuid setgid };
-allow hostapd self:netlink_socket create_socket_perms;
-allow hostapd self:netlink_generic_socket create_socket_perms;
-allow hostapd self:packet_socket create_socket_perms;
-allow hostapd self:netlink_route_socket nlmsg_write;
-
-allow hostapd wifi_data_file:file rw_file_perms;
-allow hostapd wifi_data_file:dir create_dir_perms;
-type_transition hostapd wifi_data_file:dir wpa_socket "sockets";
-type_transition hostapd wifi_data_file:dir wpa_socket "hostapd";
-allow hostapd wpa_socket:dir create_dir_perms;
-allow hostapd wpa_socket:sock_file create_file_perms;
-allow hostapd netd:fd use;
-allow hostapd netd:udp_socket { read write };
-allow hostapd netd:fifo_file { read write };
-# TODO: Investigate whether these inherited sockets should be closed on exec.
-allow hostapd netd:netlink_kobject_uevent_socket { read write };
-allow hostapd netd:netlink_nflog_socket { read write };
-allow hostapd netd:netlink_route_socket { read write };
-allow hostapd netd:unix_stream_socket { read write };
-allow hostapd netd:unix_dgram_socket { read write };
diff --git a/idmap.te b/idmap.te
deleted file mode 100644
index c1b4d0f..0000000
--- a/idmap.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# idmap, when executed by installd
-type idmap, domain, domain_deprecated;
-type idmap_exec, exec_type, file_type;
-
-# Use open file to /data/resource-cache file inherited from installd.
-allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file { getattr read write };
-
-# Open and read from target and overlay apk files passed by argument.
-allow idmap apk_data_file:file r_file_perms;
diff --git a/init.te b/init.te
deleted file mode 100644
index e1a8217..0000000
--- a/init.te
+++ /dev/null
@@ -1,298 +0,0 @@
-# init is its own domain.
-type init, domain, domain_deprecated, mlstrustedsubject;
-tmpfs_domain(init)
-
-# The init domain is entered by execing init.
-type init_exec, exec_type, file_type;
-
-# /dev/__null__ node created by init.
-allow init tmpfs:chr_file create_file_perms;
-
-#
-# init direct restorecon calls.
-#
-# /dev/socket
-allow init { device socket_device }:dir relabelto;
-# /dev/__properties__
-allow init properties_device:dir relabelto;
-allow init properties_serial:file { write relabelto };
-allow init property_type:file { create_file_perms relabelto };
-
-# setrlimit
-allow init self:capability sys_resource;
-
-# Remove /dev/.booting, created before initial policy load or restorecon /dev.
-allow init tmpfs:file unlink;
-
-# Access pty created for fsck.
-allow init devpts:chr_file { read write open };
-
-# Create /dev/fscklogs files.
-allow init fscklogs:file create_file_perms;
-
-# Access /dev/__null__ node created prior to initial policy load.
-allow init tmpfs:chr_file write;
-
-# Access /dev/console.
-allow init console_device:chr_file rw_file_perms;
-
-# Access /dev/tty0.
-allow init tty_device:chr_file rw_file_perms;
-
-# Call mount(2).
-allow init self:capability sys_admin;
-
-# Create and mount on directories in /.
-allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton;
-
-# Mount on /dev/usb-ffs/adb.
-allow init device:dir mounton;
-
-# Create and remove symlinks in /.
-allow init rootfs:lnk_file { create unlink };
-
-# Mount debugfs on /sys/kernel/debug.
-allow init sysfs:dir mounton;
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow init tmpfs:dir create_dir_perms;
-allow init tmpfs:dir mounton;
-allow init cgroup:dir create_dir_perms;
-allow init cpuctl_device:dir { create mounton };
-
-# Use tmpfs as /data, used for booting when /data is encrypted
-allow init tmpfs:dir relabelfrom;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:capability dac_override;
-
-# Set system clock.
-allow init self:capability sys_time;
-
-allow init self:capability { sys_rawio mknod };
-
-# Mounting filesystems from block devices.
-allow init dev_type:blk_file r_file_perms;
-
-# Mounting filesystems.
-# Only allow relabelto for types used in context= mount options,
-# which should all be assigned the contextmount_type attribute.
-# This can be done in device-specific policy via type or typeattribute
-# declarations.
-allow init fs_type:filesystem ~relabelto;
-allow init unlabeled:filesystem ~relabelto;
-allow init contextmount_type:filesystem relabelto;
-
-# Allow read-only access to context= mounted filesystems.
-allow init contextmount_type:dir r_dir_perms;
-allow init contextmount_type:notdevfile_class_set r_file_perms;
-
-# restorecon /adb_keys or any other rootfs files and directories to a more
-# specific type.
-allow init rootfs:{ dir file } relabelfrom;
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow init self:capability { chown fowner fsetid };
-allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
-allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:lnk_file { create getattr setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
-allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
-allow init dev_type:dir create_dir_perms;
-allow init dev_type:lnk_file create;
-
-# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow init debugfs_tracing:file w_file_perms;
-
-# chown/chmod on pseudo files.
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
-
-# chown/chmod on devices.
-allow init { dev_type -kmem_device }:chr_file { read open setattr };
-
-# Unlabeled file access for upgrades from 4.2.
-allow init unlabeled:dir { create_dir_perms relabelfrom };
-allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-
-# Any operation that can modify the kernel ring buffer, e.g. clear
-# or a read that consumes the messages that were read.
-allow init kernel:system syslog_mod;
-allow init self:capability2 syslog;
-
-# Set usermodehelpers and /proc security settings.
-allow init usermodehelper:file rw_file_perms;
-allow init proc_security:file rw_file_perms;
-
-# Write to /proc/sys/kernel/panic_on_oops.
-allow init proc:file w_file_perms;
-
-# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-allow init proc_net:file w_file_perms;
-allow init self:capability net_admin;
-
-# Write to /proc/sysrq-trigger.
-allow init proc_sysrq:file w_file_perms;
-
-# Reboot.
-allow init self:capability sys_boot;
-
-# Write to sysfs nodes.
-allow init sysfs_type:dir r_dir_perms;
-allow init sysfs_type:file w_file_perms;
-
-# disksize
-allow init sysfs_zram:file getattr;
-
-# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, adbd)
-domain_trans(init, rootfs, healthd)
-domain_trans(init, rootfs, slideshow)
-recovery_only(`
-  domain_trans(init, rootfs, recovery)
-')
-domain_trans(init, shell_exec, shell)
-domain_trans(init, init_exec, ueventd)
-domain_trans(init, init_exec, watchdogd)
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
-userdebug_or_eng(`
-  domain_auto_trans(init, logcat_exec, logd)
-')
-
-# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
-# Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { open create read getattr setattr search };
-allow init misc_logd_file:file { getattr };
-
-# Support "adb shell stop"
-allow init self:capability kill;
-allow init domain:process { sigkill signal };
-
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
-# Init creates vold's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init vold_data_file:dir { open create read getattr setattr search };
-allow init vold_data_file:file { getattr };
-
-# Init creates /data/local/tmp at boot
-allow init shell_data_file:dir { open create read getattr setattr search };
-allow init shell_data_file:file { getattr };
-
-# Set UID and GID for services.
-allow init self:capability { setuid setgid };
-
-# For bootchart to read the /proc/$pid/cmdline file of each process,
-# we need to have following line to allow init to have access
-# to different domains.
-r_dir_file(init, domain)
-
-# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
-# setexec is for services with seclabel options.
-# setfscreate is for labeling directories and socket files.
-# setsockcreate is for labeling local/unix domain sockets.
-allow init self:process { setexec setfscreate setsockcreate };
-
-# Perform SELinux access checks on setting properties.
-selinux_check_access(init)
-
-# Ask the kernel for the new context on services to label their sockets.
-allow init kernel:security compute_create;
-
-# Create sockets for the services.
-allow init domain:unix_stream_socket { create bind };
-allow init domain:unix_dgram_socket { create bind };
-
-# Create /data/property and files within it.
-allow init property_data_file:dir create_dir_perms;
-allow init property_data_file:file create_file_perms;
-
-# Set any property.
-allow init property_type:property_service set;
-
-# Run "ifup lo" to bring up the localhost interface
-allow init self:udp_socket { create ioctl };
-allow init self:capability net_raw;
-
-# This line seems suspect, as it should not really need to
-# set scheduling parameters for a kernel domain task.
-allow init kernel:process setsched;
-
-# swapon() needs write access to swap device
-# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
-allow init swap_block_device:blk_file rw_file_perms;
-
-# Read from /dev/hw_random if present.
-# system/core/init/init.c - mix_hwrng_into_linux_rng_action
-allow init hw_random_device:chr_file r_file_perms;
-
-# Create and access /dev files without a specific type,
-# e.g. /dev/.coldboot_done, /dev/.booting
-# TODO:  Move these files into their own type unless they are
-# only ever accessed by init.
-allow init device:file create_file_perms;
-
-# Access character devices without a specific type,
-# e.g. /dev/keychord.
-# TODO: Move these devices into their own type unless they
-# are only ever accessed by init.
-allow init device:chr_file { rw_file_perms setattr };
-
-# keychord configuration
-allow init self:capability sys_tty_config;
-
-# Access device mapper for setting up dm-verity
-allow init dm_device:chr_file rw_file_perms;
-allow init dm_device:blk_file rw_file_perms;
-
-# Access metadata block device for storing dm-verity state
-allow init metadata_block_device:blk_file rw_file_perms;
-
-# Read /sys/fs/pstore/console-ramoops to detect restarts caused
-# by dm-verity detecting corrupted blocks
-allow init pstorefs:dir search;
-allow init pstorefs:file r_file_perms;
-allow init kernel:system syslog_read;
-
-# linux keyring configuration
-allow init init:key { write search setattr };
-
-# Allow init to create /data/unencrypted
-allow init unencrypted_data_file:dir create_dir_perms;
-
-unix_socket_connect(init, vold, vold)
-
-###
-### neverallow rules
-###
-
-# The init domain is only entered via setcon from the kernel domain,
-# never via an exec-based transition.
-neverallow domain init:process dyntransition;
-neverallow { domain -kernel} init:process transition;
-neverallow init { file_type fs_type -init_exec }:file entrypoint;
-
-# Never read/follow symlinks created by shell or untrusted apps.
-neverallow init shell_data_file:lnk_file read;
-neverallow init app_data_file:lnk_file read;
-
-# init should never execute a program without changing to another domain.
-neverallow init { file_type fs_type }:file execute_no_trans;
-
-# Init never adds or uses services via service_manager.
-neverallow init service_manager_type:service_manager { add find };
-neverallow init servicemanager:service_manager list;
-
-# Init should not be creating subdirectories in /data/local/tmp
-neverallow init shell_data_file:dir { write add_name remove_name };
diff --git a/initial_sid_contexts b/initial_sid_contexts
deleted file mode 100644
index 9819051..0000000
--- a/initial_sid_contexts
+++ /dev/null
@@ -1,27 +0,0 @@
-sid kernel u:r:kernel:s0
-sid security u:object_r:kernel:s0
-sid unlabeled u:object_r:unlabeled:s0
-sid fs u:object_r:labeledfs:s0
-sid file u:object_r:unlabeled:s0
-sid file_labels u:object_r:unlabeled:s0
-sid init u:object_r:unlabeled:s0
-sid any_socket u:object_r:unlabeled:s0
-sid port u:object_r:port:s0
-sid netif u:object_r:netif:s0
-sid netmsg u:object_r:unlabeled:s0
-sid node u:object_r:node:s0
-sid igmp_packet u:object_r:unlabeled:s0
-sid icmp_socket u:object_r:unlabeled:s0
-sid tcp_socket u:object_r:unlabeled:s0
-sid sysctl_modprobe u:object_r:unlabeled:s0
-sid sysctl u:object_r:proc:s0
-sid sysctl_fs u:object_r:unlabeled:s0
-sid sysctl_kernel u:object_r:unlabeled:s0
-sid sysctl_net u:object_r:unlabeled:s0
-sid sysctl_net_unix u:object_r:unlabeled:s0
-sid sysctl_vm u:object_r:unlabeled:s0
-sid sysctl_dev u:object_r:unlabeled:s0
-sid kmod u:object_r:unlabeled:s0
-sid policy u:object_r:unlabeled:s0
-sid scmp_packet u:object_r:unlabeled:s0
-sid devnull u:object_r:null_device:s0
diff --git a/initial_sids b/initial_sids
deleted file mode 100644
index 91ac816..0000000
--- a/initial_sids
+++ /dev/null
@@ -1,35 +0,0 @@
-# FLASK
-
-#
-# Define initial security identifiers
-#
-
-sid kernel
-sid security
-sid unlabeled
-sid fs
-sid file
-sid file_labels
-sid init
-sid any_socket
-sid port
-sid netif
-sid netmsg
-sid node
-sid igmp_packet
-sid icmp_socket
-sid tcp_socket
-sid sysctl_modprobe
-sid sysctl
-sid sysctl_fs
-sid sysctl_kernel
-sid sysctl_net
-sid sysctl_net_unix
-sid sysctl_vm
-sid sysctl_dev
-sid kmod
-sid policy
-sid scmp_packet
-sid devnull
-
-# FLASK
diff --git a/inputflinger.te b/inputflinger.te
deleted file mode 100644
index 324f3f6..0000000
--- a/inputflinger.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# inputflinger
-type inputflinger, domain, domain_deprecated;
-type inputflinger_exec, exec_type, file_type;
-
-init_daemon_domain(inputflinger)
-binder_use(inputflinger)
-binder_service(inputflinger)
-
-binder_call(inputflinger, system_server)
-
-wakelock_use(inputflinger)
-
-allow inputflinger inputflinger_service:service_manager { add find };
-allow inputflinger input_device:dir r_dir_perms;
-allow inputflinger input_device:chr_file rw_file_perms;
diff --git a/install_recovery.te b/install_recovery.te
deleted file mode 100644
index 1c47236..0000000
--- a/install_recovery.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# service flash_recovery in init.rc
-type install_recovery, domain, domain_deprecated;
-type install_recovery_exec, exec_type, file_type;
-
-init_daemon_domain(install_recovery)
-
-allow install_recovery self:capability dac_override;
-
-# /system/bin/install-recovery.sh is a shell script.
-# Needs to execute /system/bin/sh
-allow install_recovery shell_exec:file rx_file_perms;
-
-# Execute /system/bin/applypatch
-allow install_recovery system_file:file rx_file_perms;
-
-allow install_recovery toolbox_exec:file rx_file_perms;
-
-# Update the recovery block device based off a diff of the boot block device
-allow install_recovery block_device:dir search;
-allow install_recovery boot_block_device:blk_file r_file_perms;
-allow install_recovery recovery_block_device:blk_file rw_file_perms;
-
-# Create and delete /cache/saved.file
-allow install_recovery { cache_file cache_recovery_file }:dir rw_dir_perms;
-allow install_recovery { cache_file cache_recovery_file }:file create_file_perms;
-
-auditallow install_recovery cache_recovery_file:dir rw_dir_perms;
-auditallow install_recovery cache_recovery_file:file create_file_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/installd.te b/installd.te
deleted file mode 100644
index 1f83501..0000000
--- a/installd.te
+++ /dev/null
@@ -1,94 +0,0 @@
-# installer daemon
-type installd, domain, domain_deprecated;
-type installd_exec, exec_type, file_type;
-
-init_daemon_domain(installd)
-typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
-
-# Allow labeling of files under /data/app/com.example/oat/
-allow installd dalvikcache_data_file:dir relabelto;
-allow installd dalvikcache_data_file:file { relabelto link };
-
-# Allow movement of APK files between volumes
-allow installd apk_data_file:dir { create_dir_perms relabelfrom };
-allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create read unlink };
-
-allow installd asec_apk_file:file r_file_perms;
-allow installd apk_tmp_file:file { r_file_perms unlink };
-allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
-allow installd oemfs:dir r_dir_perms;
-allow installd oemfs:file r_file_perms;
-allow installd cgroup:dir create_dir_perms;
-allow installd mnt_expand_file:dir { search getattr };
-# Check validity of SELinux context before use.
-selinux_check_context(installd)
-
-# Search /data/app-asec and stat files in it.
-allow installd asec_image_file:dir search;
-allow installd asec_image_file:file getattr;
-
-# Create /data/user and /data/user/0 if necessary.
-# Also required to initially create /data/data subdirectories
-# and lib symlinks before the setfilecon call.  May want to
-# move symlink creation after setfilecon in installd.
-allow installd system_data_file:dir create_dir_perms;
-allow installd system_data_file:lnk_file { create setattr unlink };
-
-# Upgrade /data/media for multi-user if necessary.
-allow installd media_rw_data_file:dir create_dir_perms;
-allow installd media_rw_data_file:file { getattr unlink };
-# restorecon new /data/media directory.
-allow installd system_data_file:dir relabelfrom;
-allow installd media_rw_data_file:dir relabelto;
-
-# Upgrade /data/misc/keychain for multi-user if necessary.
-allow installd misc_user_data_file:dir create_dir_perms;
-allow installd misc_user_data_file:file create_file_perms;
-allow installd keychain_data_file:dir create_dir_perms;
-allow installd keychain_data_file:file {r_file_perms unlink};
-
-# Create /data/.layout_version.* file
-type_transition installd system_data_file:file install_data_file;
-allow installd install_data_file:file create_file_perms;
-
-# Create files under /data/dalvik-cache.
-allow installd dalvikcache_data_file:dir create_dir_perms;
-allow installd dalvikcache_data_file:file create_file_perms;
-
-# Create files under /data/resource-cache.
-allow installd resourcecache_data_file:dir rw_dir_perms;
-allow installd resourcecache_data_file:file create_file_perms;
-
-# Run dex2oat in its own sandbox.
-domain_auto_trans(installd, dex2oat_exec, dex2oat)
-
-# Run idmap in its own sandbox.
-domain_auto_trans(installd, idmap_exec, idmap)
-
-# Upgrade from unlabeled userdata.
-# Just need enough to remove and/or relabel it.
-allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
-allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
-# Read pkg.apk file for input during dexopt.
-allow installd unlabeled:file r_file_perms;
-
-# Upgrade from before system_app_data_file was used for system UID apps.
-# Just need enough to relabel it and to unlink removed package files.
-# Directory access covered by earlier rule above.
-allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
-
-# Manage /data/data subdirectories, including initially labeling them
-# upon creation via setfilecon or running restorecon_recursive,
-# setting owner/mode, creating symlinks within them, and deleting them
-# upon package uninstall.
-# Types extracted from seapp_contexts type= fields.
-allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { create_dir_perms relabelfrom relabelto };
-allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
-
-# Create and use pty created by android_fork_execvp().
-allow installd devpts:chr_file rw_file_perms;
-
-# execute toybox for app relocation
-allow installd toolbox_exec:file rx_file_perms;
diff --git a/ioctl_macros b/ioctl_macros
deleted file mode 100644
index e71e0ce..0000000
--- a/ioctl_macros
+++ /dev/null
@@ -1,11 +0,0 @@
-# socket ioctls allowed to unprivileged apps
-define(`unpriv_sock_ioctls', `
-{
-# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927
-0x8900-0x8926 0x8928-0x89ff
-# all wireless extensions ioctls except get/set essid
-# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
-0x8B00-0x8B09 0x8B1C-0x8BFF
-# commonly used TTY ioctls
-0x5411 0x5451
-}')
diff --git a/isolated_app.te b/isolated_app.te
deleted file mode 100644
index 34fe41c..0000000
--- a/isolated_app.te
+++ /dev/null
@@ -1,62 +0,0 @@
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-### isolated_app includes all the appdomain rules, plus the
-### additional following rules:
-###
-
-type isolated_app, domain, domain_deprecated;
-app_domain(isolated_app)
-
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { read write getattr lock };
-
-allow isolated_app activity_service:service_manager find;
-allow isolated_app display_service:service_manager find;
-
-# Google Breakpad (crash reporter for Chrome) relies on ptrace
-# functionality. Without the ability to ptrace, the crash reporter
-# tool is broken.
-# b/20150694
-# https://code.google.com/p/chromium/issues/detail?id=475270
-allow isolated_app self:process ptrace;
-
-#####
-##### Neverallow
-#####
-
-# Do not allow isolated_app to directly open tun_device
-neverallow isolated_app tun_device:chr_file open;
-
-# Do not allow isolated_app to set system properties.
-neverallow isolated_app property_socket:sock_file write;
-neverallow isolated_app property_type:property_service set;
-
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-# TODO: are there situations where isolated_apps write to this file?
-# TODO: should we tighten these restrictions further?
-neverallow isolated_app anr_data_file:file ~{ open append };
-neverallow isolated_app anr_data_file:dir ~search;
-
-# b/17487348
-# Isolated apps can only access two services,
-# activity_service and display_service
-neverallow isolated_app {
-    service_manager_type
-    -activity_service
-    -display_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
-
-# Do not allow isolated_app access to /cache
-neverallow isolated_app cache_file:dir ~{ r_dir_perms };
-neverallow isolated_app cache_file:file ~{ read getattr };
diff --git a/kernel.te b/kernel.te
deleted file mode 100644
index 20b0c0a..0000000
--- a/kernel.te
+++ /dev/null
@@ -1,87 +0,0 @@
-# Life begins with the kernel.
-type kernel, domain, domain_deprecated, mlstrustedsubject;
-
-allow kernel self:capability sys_nice;
-
-# Root fs.
-allow kernel rootfs:dir r_dir_perms;
-allow kernel rootfs:file r_file_perms;
-allow kernel rootfs:lnk_file r_file_perms;
-
-# Get SELinux enforcing status.
-allow kernel selinuxfs:dir r_dir_perms;
-allow kernel selinuxfs:file r_file_perms;
-
-# Allow init relabel itself.
-allow kernel rootfs:file relabelfrom;
-allow kernel init_exec:file relabelto;
-# TODO: investigate why we need this.
-allow kernel init:process share;
-
-# cgroup filesystem initialization prior to setting the cgroup root directory label.
-allow kernel unlabeled:dir search;
-
-# Mount usbfs.
-allow kernel usbfs:filesystem mount;
-allow kernel usbfs:dir search;
-
-# Initial setenforce by init prior to switching to init domain.
-# We use dontaudit instead of allow to prevent a kernel spawned userspace
-# process from turning off SELinux once enabled.
-dontaudit kernel self:security setenforce;
-
-# Write to /proc/1/oom_adj prior to switching to init domain.
-allow kernel self:capability sys_resource;
-
-# Init reboot before switching selinux domains under certain error
-# conditions. Allow it.
-# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
-# remount filesystems read-only. /data is not mounted at this point,
-# so we could ignore this. For now, we allow it.
-allow kernel self:capability sys_boot;
-allow kernel proc_sysrq:file w_file_perms;
-
-# Allow writing to /dev/__kmsg__ which was created prior to
-# loading policy
-allow kernel tmpfs:chr_file write;
-
-# Set checkreqprot by init.rc prior to switching to init domain.
-allow kernel selinuxfs:file write;
-allow kernel self:security setcheckreqprot;
-
-# MTP sync (b/15835289)
-# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel priv_app:fd use;
-allow kernel sdcard_type:file { read write };
-
-# Allow the kernel to read OBB files from app directories. (b/17428116)
-# Kernel thread "loop0" reads a vold supplied file descriptor.
-# Fixes CTS tests:
-#  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
-#  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
-allow kernel vold:fd use;
-allow kernel app_data_file:file read;
-allow kernel asec_image_file:file read;
-
-domain_auto_trans(kernel, init_exec, init)
-
-###
-### neverallow rules
-###
-
-# The initial task starts in the kernel domain (assigned via
-# initial_sid_contexts), but nothing ever transitions to it.
-neverallow * kernel:process { transition dyntransition };
-
-# The kernel domain is never entered via an exec, nor should it
-# ever execute a program outside the rootfs without changing to another domain.
-# If you encounter an execute_no_trans denial on the kernel domain, then
-# possible causes include:
-# - The program is a kernel usermodehelper.  In this case, define a domain
-#   for the program and domain_auto_trans() to it.
-# - You failed to setcon u:r:init:s0 in your init.rc and thus your init
-#   program was left in the kernel domain and is now trying to execute
-#   some other program.  Fix your init.rc file.
-# - You are running an exploit which switched to the init task credentials
-#   and is then trying to exec a shell or other program.  You lose!
-neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans };
diff --git a/keys.conf b/keys.conf
deleted file mode 100644
index 7a307b5..0000000
--- a/keys.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#
-# Maps an arbitrary tag [TAGNAME] with the string contents found in
-# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
-# name it after the base file name of the pem file.
-#
-# Each tag (section) then allows one to specify any string found in
-# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
-# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
-#
-
-[@PLATFORM]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
-
-[@MEDIA]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
-
-[@SHARED]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
-
-# Example of ALL TARGET_BUILD_VARIANTS
-[@RELEASE]
-ENG       : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USER      : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-
diff --git a/keystore.te b/keystore.te
deleted file mode 100644
index 9dca43c..0000000
--- a/keystore.te
+++ /dev/null
@@ -1,32 +0,0 @@
-type keystore, domain, domain_deprecated;
-type keystore_exec, exec_type, file_type;
-
-# keystore daemon
-init_daemon_domain(keystore)
-typeattribute keystore mlstrustedsubject;
-binder_use(keystore)
-binder_service(keystore)
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-allow keystore tee_device:chr_file rw_file_perms;
-allow keystore tee:unix_stream_socket connectto;
-
-allow keystore keystore_service:service_manager { add find };
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
-
-###
-### Neverallow rules
-###
-### Protect ourself from others
-###
-
-neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow { domain -keystore -init } keystore_data_file:dir *;
-neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-
-neverallow * keystore:process ptrace;
diff --git a/lmkd.te b/lmkd.te
deleted file mode 100644
index ee290a3..0000000
--- a/lmkd.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# lmkd low memory killer daemon
-type lmkd, domain, domain_deprecated, mlstrustedsubject;
-type lmkd_exec, exec_type, file_type;
-
-init_daemon_domain(lmkd)
-
-allow lmkd self:capability { dac_override sys_resource kill };
-
-# lmkd locks itself in memory, to prevent it from being
-# swapped out and unable to kill other memory hogs.
-# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
-# b/16236289
-allow lmkd self:capability ipc_lock;
-
-## Open and write to /proc/PID/oom_score_adj
-## TODO: maybe scope this down?
-r_dir_file(lmkd, appdomain)
-allow lmkd appdomain:file write;
-r_dir_file(lmkd, system_server)
-allow lmkd system_server:file write;
-
-## Writes to /sys/module/lowmemorykiller/parameters/minfree
-allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-
-# Send kill signals
-allow lmkd appdomain:process sigkill;
-
-# Clean up old cgroups
-allow lmkd cgroup:dir { remove_name rmdir };
-
-# Set self to SCHED_FIFO
-allow lmkd self:capability sys_nice;
-
-### neverallow rules
-
-# never honor LD_PRELOAD
-neverallow * lmkd:process noatsecure;
diff --git a/logd.te b/logd.te
deleted file mode 100644
index 7254e53..0000000
--- a/logd.te
+++ /dev/null
@@ -1,67 +0,0 @@
-# android user-space log manager
-type logd, domain, domain_deprecated, mlstrustedsubject;
-type logd_exec, exec_type, file_type;
-
-init_daemon_domain(logd)
-
-# Read access to pseudo filesystems.
-r_dir_file(logd, proc)
-r_dir_file(logd, proc_net)
-
-allow logd self:capability { setuid setgid sys_nice audit_control };
-allow logd self:capability2 syslog;
-allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write };
-allow logd kernel:system syslog_read;
-allow logd kmsg_device:chr_file w_file_perms;
-allow logd system_data_file:file r_file_perms;
-# logpersist is only allowed on userdebug and eng builds
-userdebug_or_eng(`
-  allow logd misc_logd_file:file create_file_perms;
-  allow logd misc_logd_file:dir rw_dir_perms;
-')
-allow logd pstorefs:dir search;
-allow logd pstorefs:file r_file_perms;
-
-# Set persist.sys. and sys.powerctl
-set_prop(logd, safemode_prop)
-set_prop(logd, powerctl_prop)
-
-# Access device logging gating property
-get_prop(logd, device_logging_prop)
-
-r_dir_file(logd, domain)
-
-allow logd kernel:system syslog_mod;
-
-control_logd(logd)
-
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
-userdebug_or_eng(`
-  unix_socket_connect(logd, logdr, logd)
-')
-
-###
-### Neverallow rules
-###
-### logd should NEVER do any of this
-
-# Block device access.
-neverallow logd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logd domain:process ptrace;
-
-# Write to /system.
-neverallow logd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
-
-# logd is not allowed to write anywhere other than /data/misc/logd, and then
-# only on userdebug or eng builds
-neverallow logd { file_type -logd_tmpfs userdebug_or_eng(` -misc_logd_file -coredump_file ') }:file { create write append };
-
-# logpersist is only allowed on userdebug/eng builds
-neverallow { domain userdebug_or_eng(`-logd -shell') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain userdebug_or_eng(`-logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
-neverallow { domain -init } misc_logd_file:dir create;
diff --git a/mac_permissions.xml b/mac_permissions.xml
deleted file mode 100644
index 87efe0e..0000000
--- a/mac_permissions.xml
+++ /dev/null
@@ -1,54 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policy>
-
-<!--
-
-    * A signature is a hex encoded X.509 certificate or a tag defined in
-      keys.conf and is required for each signer tag. The signature can
-      either appear as a set of attached cert child tags or as an attribute.
-    * A signer tag must contain a seinfo tag XOR multiple package stanzas.
-    * Each signer/package tag is allowed to contain one seinfo tag. This tag
-      represents additional info that each app can use in setting a SELinux security
-      context on the eventual process as well as the apps data directory.
-    * seinfo assignments are made according to the following rules:
-      - Stanzas with package name refinements will be checked first.
-      - Stanzas w/o package name refinements will be checked second.
-      - The "default" seinfo label is automatically applied.
-
-    * valid stanzas can take one of the following forms:
-
-     // single cert protecting seinfo
-     <signer signature="@PLATFORM" >
-       <seinfo value="platform" />
-     </signer>
-
-     // multiple certs protecting seinfo (all contained certs must match)
-     <signer>
-       <cert signature="@PLATFORM1"/>
-       <cert signature="@PLATFORM2"/>
-       <seinfo value="platform" />
-     </signer>
-
-     // single cert protecting explicitly named app
-     <signer signature="@PLATFORM" >
-       <package name="com.android.foo">
-         <seinfo value="bar" />
-       </package>
-     </signer>
-
-     // multiple certs protecting explicitly named app (all certs must match)
-     <signer>
-       <cert signature="@PLATFORM1"/>
-       <cert signature="@PLATFORM2"/>
-       <package name="com.android.foo">
-         <seinfo value="bar" />
-       </package>
-     </signer>
--->
-
-    <!-- Platform dev key in AOSP -->
-    <signer signature="@PLATFORM" >
-      <seinfo value="platform" />
-    </signer>
-
-</policy>
diff --git a/mdnsd.te b/mdnsd.te
deleted file mode 100644
index a9dc7c5..0000000
--- a/mdnsd.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# mdns daemon
-type mdnsd, domain, mlstrustedsubject;
-type mdnsd_exec, exec_type, file_type;
-
-init_daemon_domain(mdnsd)
-net_domain(mdnsd)
-
-# Read from /proc/net
-r_dir_file(mdnsd, proc_net)
diff --git a/mediaserver.te b/mediaserver.te
deleted file mode 100644
index 7e20002..0000000
--- a/mediaserver.te
+++ /dev/null
@@ -1,124 +0,0 @@
-# mediaserver - multimedia daemon
-type mediaserver, domain, domain_deprecated;
-type mediaserver_exec, exec_type, file_type;
-
-typeattribute mediaserver mlstrustedsubject;
-
-net_domain(mediaserver)
-init_daemon_domain(mediaserver)
-
-r_dir_file(mediaserver, sdcard_type)
-
-# stat /proc/self
-allow mediaserver proc:lnk_file getattr;
-
-# open /vendor/lib/mediadrm
-allow mediaserver system_file:dir r_dir_perms;
-
-binder_use(mediaserver)
-binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, appdomain)
-binder_service(mediaserver)
-
-# Required by Widevine DRM (b/22990512)
-allow mediaserver self:process execmem;
-
-allow mediaserver kernel:system module_request;
-allow mediaserver media_data_file:dir create_dir_perms;
-allow mediaserver media_data_file:file create_file_perms;
-allow mediaserver app_data_file:dir search;
-allow mediaserver app_data_file:file rw_file_perms;
-allow mediaserver sdcard_type:file write;
-allow mediaserver gpu_device:chr_file rw_file_perms;
-allow mediaserver video_device:dir r_dir_perms;
-allow mediaserver video_device:chr_file rw_file_perms;
-allow mediaserver audio_device:dir r_dir_perms;
-allow mediaserver tee_device:chr_file rw_file_perms;
-
-set_prop(mediaserver, audio_prop)
-
-# Access audio devices at all.
-allow mediaserver audio_device:chr_file rw_file_perms;
-
-# XXX Label with a specific type?
-allow mediaserver sysfs:file r_file_perms;
-
-# Read resources from open apk files passed over Binder.
-allow mediaserver apk_data_file:file { read getattr };
-allow mediaserver asec_apk_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow mediaserver radio_data_file:file { read getattr };
-
-# Use pipes passed over Binder from app domains.
-allow mediaserver appdomain:fifo_file { getattr read write };
-
-allow mediaserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow mediaserver system_server:fifo_file r_file_perms;
-
-# Camera data
-r_dir_file(mediaserver, camera_data_file)
-r_dir_file(mediaserver, media_rw_data_file)
-
-# Grant access to audio files to mediaserver
-allow mediaserver audio_data_file:dir ra_dir_perms;
-allow mediaserver audio_data_file:file create_file_perms;
-
-# Grant access to read files on appfuse.
-allow mediaserver app_fuse_file:file { read getattr };
-
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow mediaserver qtaguid_proc:file rw_file_perms;
-allow mediaserver qtaguid_device:chr_file r_file_perms;
-
-# Allow abstract socket connection
-allow mediaserver rild:unix_stream_socket { connectto read write setopt };
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(mediaserver, drmserver, drmserver)
-
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(mediaserver, bluetooth, bluetooth)
-
-# Connect to tee service.
-allow mediaserver tee:unix_stream_socket connectto;
-
-allow mediaserver activity_service:service_manager find;
-allow mediaserver appops_service:service_manager find;
-allow mediaserver cameraproxy_service:service_manager find;
-allow mediaserver batterystats_service:service_manager find;
-allow mediaserver drmserver_service:service_manager find;
-allow mediaserver mediaserver_service:service_manager { add find };
-allow mediaserver permission_service:service_manager find;
-allow mediaserver power_service:service_manager find;
-allow mediaserver processinfo_service:service_manager find;
-allow mediaserver scheduling_policy_service:service_manager find;
-allow mediaserver surfaceflinger_service:service_manager find;
-
-# /oem access
-allow mediaserver oemfs:dir search;
-allow mediaserver oemfs:file r_file_perms;
-
-use_drmservice(mediaserver)
-allow mediaserver drmserver:drmservice {
-    consumeRights
-    setPlaybackStatus
-    openDecryptSession
-    closeDecryptSession
-    initializeDecryptUnit
-    decrypt
-    finalizeDecryptUnit
-    pread
-};
-
-###
-### neverallow rules
-###
-
-# mediaserver should never execute any executable without a
-# domain transition
-neverallow mediaserver { file_type fs_type }:file execute_no_trans;
diff --git a/mls b/mls
deleted file mode 100644
index 5589b4b..0000000
--- a/mls
+++ /dev/null
@@ -1,112 +0,0 @@
-#########################################
-# MLS declarations
-#
-
-# Generate the desired number of sensitivities and categories.
-gen_sens(mls_num_sens)
-gen_cats(mls_num_cats)
-
-# Generate level definitions for each sensitivity and category.
-gen_levels(mls_num_sens,mls_num_cats)
-
-
-#################################################
-# MLS policy constraints
-#
-
-#
-# Process constraints
-#
-
-# Process transition:  Require equivalence unless the subject is trusted.
-mlsconstrain process { transition dyntransition }
-	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Process read operations: No read up unless trusted.
-mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
-	     (l1 dom l2 or t1 == mlstrustedsubject);
-
-# Process write operations:  Require equivalence unless trusted.
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
-	     (l1 eq l2 or t1 == mlstrustedsubject);
-
-#
-# Socket constraints
-#
-
-# Create/relabel operations:  Subject must be equivalent to object unless
-# the subject is trusted.  Sockets inherit the range of their creator.
-mlsconstrain socket_class_set { create relabelfrom relabelto }
-	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Datagram send: Sender must be equivalent to the receiver unless one of them
-# is trusted.
-mlsconstrain unix_dgram_socket { sendto }
-	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-# Stream connect:  Client must be equivalent to server unless one of them
-# is trusted.
-mlsconstrain unix_stream_socket { connectto }
-	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-#
-# Directory/file constraints
-#
-
-# Create/relabel operations:  Subject must be equivalent to object unless
-# the subject is trusted. Also, files should always be single-level.
-# Do NOT exempt mlstrustedobject types from this constraint.
-mlsconstrain dir_file_class_set { create relabelfrom relabelto }
-	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
-
-#
-# Constraints for app data files only.
-#
-
-# Only constrain open, not read/write.
-# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
-# Subject must be equivalent to object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
-	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
-mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
-	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
-
-#
-# Constraints for file types other than app data files.
-#
-
-# Read operations: Subject must dominate object unless the subject
-# or the object is trusted.
-mlsconstrain dir { read getattr search }
-	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
-	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Write operations: Subject must be equivalent to the object unless the
-# subject or the object is trusted.
-mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
-	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
-	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Special case for FIFOs.
-# These can be unnamed pipes, in which case they will be labeled with the
-# creating process' label. Thus we also have an exemption when the "object"
-# is a domain type, so that processes can communicate via unnamed pipes
-# passed by binder or local socket IPC.
-mlsconstrain fifo_file { read getattr }
-	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-mlsconstrain fifo_file { write setattr append unlink link rename }
-	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-#
-# Binder IPC constraints
-#
-# Presently commented out, as apps are expected to call one another.
-# This would only make sense if apps were assigned categories
-# based on allowable communications rather than per-app categories.
-#mlsconstrain binder call
-#	(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
diff --git a/mls_macros b/mls_macros
deleted file mode 100644
index 83e0542..0000000
--- a/mls_macros
+++ /dev/null
@@ -1,54 +0,0 @@
-########################################
-#
-# gen_cats(N)
-#
-# declares categores c0 to c(N-1)
-#
-define(`decl_cats',`dnl
-category c$1;
-ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
-')
-
-define(`gen_cats',`decl_cats(0,decr($1))')
-
-########################################
-#
-# gen_sens(N)
-#
-# declares sensitivites s0 to s(N-1) with dominance
-# in increasing numeric order with s0 lowest, s(N-1) highest
-#
-define(`decl_sens',`dnl
-sensitivity s$1;
-ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
-')
-
-define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
-
-define(`gen_sens',`
-# Each sensitivity has a name and zero or more aliases.
-decl_sens(0,decr($1))
-
-# Define the ordering of the sensitivity levels (least to greatest)
-dominance { gen_dominance(0,decr($1)) }
-')
-
-########################################
-#
-# gen_levels(N,M)
-#
-# levels from s0 to (N-1) with categories c0 to (M-1)
-#
-define(`decl_levels',`dnl
-level s$1:c0.c$3;
-ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
-')
-
-define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
-
-########################################
-#
-# Basic level names for system low and high
-#
-define(`mls_systemlow',`s0')
-define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
diff --git a/mtp.te b/mtp.te
deleted file mode 100644
index 9677abd..0000000
--- a/mtp.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# vpn tunneling protocol manager
-type mtp, domain, domain_deprecated;
-type mtp_exec, exec_type, file_type;
-
-init_daemon_domain(mtp)
-net_domain(mtp)
-
-# pptp policy
-allow mtp self:socket create_socket_perms;
-allow mtp self:capability net_raw;
-allow mtp ppp:process signal;
-allow mtp vpn_data_file:dir search;
diff --git a/net.te b/net.te
deleted file mode 100644
index 6aa12f2..0000000
--- a/net.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# Network types
-type node, node_type;
-type netif, netif_type;
-type port, port_type;
-
-# Use network sockets.
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
-# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)
-
-# Talks to netd via fwmarkd socket.
-unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/netd.te b/netd.te
deleted file mode 100644
index d6c715c..0000000
--- a/netd.te
+++ /dev/null
@@ -1,88 +0,0 @@
-# network manager
-type netd, domain, domain_deprecated, mlstrustedsubject;
-type netd_exec, exec_type, file_type;
-
-init_daemon_domain(netd)
-net_domain(netd)
-
-allow netd self:capability { net_admin net_raw kill };
-# Note: fsetid is deliberately not included above. fsetid checks are
-# triggered by chmod on a directory or file owned by a group other
-# than one of the groups assigned to the current process to see if
-# the setgid bit should be cleared, regardless of whether the setgid
-# bit was even set.  We do not appear to truly need this capability
-# for netd to operate.
-dontaudit netd self:capability fsetid;
-
-allow netd self:netlink_kobject_uevent_socket create_socket_perms;
-allow netd self:netlink_route_socket nlmsg_write;
-allow netd self:netlink_nflog_socket create_socket_perms;
-allow netd self:netlink_socket create_socket_perms;
-allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write };
-allow netd self:netlink_generic_socket create_socket_perms;
-allow netd self:netlink_netfilter_socket create_socket_perms;
-allow netd shell_exec:file rx_file_perms;
-allow netd system_file:file x_file_perms;
-allow netd devpts:chr_file rw_file_perms;
-
-# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file write;
-
-# For /sys/modules/bcmdhd/parameters/firmware_path
-# XXX Split into its own type.
-allow netd sysfs:file write;
-
-# Set dhcp lease for PAN connection
-set_prop(netd, dhcp_prop)
-set_prop(netd, system_prop)
-auditallow netd system_prop:property_service set;
-
-# Connect to PAN
-domain_auto_trans(netd, dhcp_exec, dhcp)
-allow netd dhcp:process signal;
-
-# Needed to update /data/misc/wifi/hostapd.conf
-# TODO: See what we can do to reduce the need for
-# these capabilities
-allow netd self:capability { dac_override chown fowner };
-allow netd wifi_data_file:file create_file_perms;
-allow netd wifi_data_file:dir rw_dir_perms;
-
-# Needed to update /data/misc/net/rt_tables
-allow netd net_data_file:file create_file_perms;
-allow netd net_data_file:dir rw_dir_perms;
-
-# Allow netd to spawn hostapd in it's own domain
-domain_auto_trans(netd, hostapd_exec, hostapd)
-allow netd hostapd:process signal;
-
-# Allow netd to spawn dnsmasq in it's own domain
-domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-allow netd dnsmasq:process signal;
-
-# Allow netd to start clatd in its own domain
-domain_auto_trans(netd, clatd_exec, clatd)
-allow netd clatd:process signal;
-
-set_prop(netd, ctl_mdnsd_prop)
-
-# Allow netd to operate on sockets that are passed to it.
-allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
-allow netd netdomain:fd use;
-
-###
-### Neverallow rules
-###
-### netd should NEVER do any of this
-
-# Block device access.
-neverallow netd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow netd { domain }:process ptrace;
-
-# Write to /system.
-neverallow netd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
diff --git a/neverallow_macros b/neverallow_macros
deleted file mode 100644
index b36cceb..0000000
--- a/neverallow_macros
+++ /dev/null
@@ -1,6 +0,0 @@
-#
-# Common neverallow permissions
-define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
-define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
-define(`no_x_file_perms', `{ execute execute_no_trans }')
-define(`no_w_dir_perms',  `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
diff --git a/nfc.te b/nfc.te
deleted file mode 100644
index 85572e2..0000000
--- a/nfc.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# nfc subsystem
-type nfc, domain, domain_deprecated;
-app_domain(nfc)
-net_domain(nfc)
-binder_service(nfc)
-
-# Set NFC properties
-set_prop(nfc, nfc_prop)
-
-# NFC device access.
-allow nfc nfc_device:chr_file rw_file_perms;
-
-# Data file accesses.
-allow nfc nfc_data_file:dir create_dir_perms;
-allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
-
-allow nfc sysfs_nfc_power_writable:file rw_file_perms;
-allow nfc sysfs:file write;
-
-allow nfc drmserver_service:service_manager find;
-allow nfc mediaserver_service:service_manager find;
-allow nfc nfc_service:service_manager { add find };
-allow nfc radio_service:service_manager find;
-allow nfc surfaceflinger_service:service_manager find;
-allow nfc app_api_service:service_manager find;
-allow nfc system_api_service:service_manager find;
-
-# already open bugreport file descriptors may be shared with
-# the nfc process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow nfc shell_data_file:file read;
diff --git a/perfprofd.te b/perfprofd.te
deleted file mode 100644
index 0122c55..0000000
--- a/perfprofd.te
+++ /dev/null
@@ -1,59 +0,0 @@
-# perfprofd - perf profile collection daemon
-type perfprofd_exec, exec_type, file_type;
-
-userdebug_or_eng(`
-
-  type perfprofd, domain, domain_deprecated, mlstrustedsubject;
-
-  init_daemon_domain(perfprofd)
-
-  # perfprofd needs to control CPU hot-plug in order to avoid kernel
-  # perfevents problems in cases where CPU goes on/off during measurement;
-  # this means read access to /sys/devices/system/cpu/possible
-  # and read/write access to /sys/devices/system/cpu/cpu*/online
-  allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
-
-  # perfprofd checks for the existence of and then invokes simpleperf;
-  # simpleperf retains perfprofd domain after exec
-  allow perfprofd system_file:file rx_file_perms;
-
-  # perfprofd reads a config file from /data/data/com.google.android.gms/files
-  allow perfprofd app_data_file:file r_file_perms;
-  allow perfprofd app_data_file:dir search;
-  allow perfprofd self:capability { dac_override };
-
-  # perfprofd opens a file for writing in /data/misc/perfprofd
-  allow perfprofd perfprofd_data_file:file create_file_perms;
-  allow perfprofd perfprofd_data_file:dir rw_dir_perms;
-
-  # perfprofd uses the system log
-  read_logd(perfprofd);
-  write_logd(perfprofd);
-
-  # perfprofd inspects /sys/power/wake_unlock
-  wakelock_use(perfprofd);
-
-  # simpleperf uses ioctl() to turn on kernel perf events measurements
-  allow perfprofd self:capability sys_admin;
-
-  # simpleperf needs to examine /proc to collect task/thread info
-  r_dir_file(perfprofd, domain)
-
-  # simpleperf needs to access /proc/<pid>/exec
-  allow perfprofd self:capability { sys_resource sys_ptrace };
-  neverallow perfprofd domain:process ptrace;
-
-  # simpleperf needs open/read any file that turns up in a profile
-  # to see whether it has a build ID
-  allow perfprofd exec_type:file r_file_perms;
-
-  # simpleperf examines debugfs on startup to collect tracepoint event types
-  allow perfprofd debugfs_tracing:file r_file_perms;
-
-  # simpleperf is going to execute "sleep"
-  allow perfprofd toolbox_exec:file rx_file_perms;
-
-  # needed for simpleperf on some kernels
-  allow perfprofd self:capability ipc_lock;
-
-')
diff --git a/platform_app.te b/platform_app.te
deleted file mode 100644
index 0381288..0000000
--- a/platform_app.te
+++ /dev/null
@@ -1,47 +0,0 @@
-###
-### Apps signed with the platform key.
-###
-
-type platform_app, domain, domain_deprecated;
-app_domain(platform_app)
-# Access the network.
-net_domain(platform_app)
-# Access bluetooth.
-bluetooth_domain(platform_app)
-# Read from /data/local/tmp or /data/data/com.android.shell.
-allow platform_app shell_data_file:dir search;
-allow platform_app shell_data_file:file { open getattr read };
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-# created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
-allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
-allow platform_app apk_private_data_file:dir search;
-# ASEC
-allow platform_app asec_apk_file:dir create_dir_perms;
-allow platform_app asec_apk_file:file create_file_perms;
-
-# Access to /data/media.
-allow platform_app media_rw_data_file:dir create_dir_perms;
-allow platform_app media_rw_data_file:file create_file_perms;
-
-# Write to /cache.
-allow platform_app { cache_file cache_recovery_file }:dir create_dir_perms;
-allow platform_app { cache_file cache_recovery_file }:file create_file_perms;
-
-# Likely not needed
-auditallow platform_app cache_recovery_file:dir create_dir_perms;
-auditallow platform_app cache_recovery_file:file create_file_perms;
-
-# Direct access to vold-mounted storage under /mnt/media_rw
-# This is a performance optimization that allows platform apps to bypass the FUSE layer
-allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app vfat:dir create_dir_perms;
-allow platform_app vfat:file create_file_perms;
-
-allow platform_app drmserver_service:service_manager find;
-allow platform_app mediaserver_service:service_manager find;
-allow platform_app persistent_data_block_service:service_manager find;
-allow platform_app radio_service:service_manager find;
-allow platform_app surfaceflinger_service:service_manager find;
-allow platform_app app_api_service:service_manager find;
-allow platform_app system_api_service:service_manager find;
diff --git a/policy_capabilities b/policy_capabilities
deleted file mode 100644
index c7b9d9c..0000000
--- a/policy_capabilities
+++ /dev/null
@@ -1,5 +0,0 @@
-# Enable new networking controls.
-policycap network_peer_controls;
-
-# Enable open permission check.
-policycap open_perms;
diff --git a/port_contexts b/port_contexts
deleted file mode 100644
index b473c0c..0000000
--- a/port_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-# portcon statements go here, e.g.
-# portcon tcp 80 u:object_r:http_port:s0
-
diff --git a/postinstall.te b/postinstall.te
deleted file mode 100644
index 8afc561..0000000
--- a/postinstall.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# Domain where the postinstall program runs during the update.
-# Extend the permissions in this domain to allow this program to access other
-# files needed by the specific device on your device's sepolicy directory.
-type postinstall, domain;
-
-# Allow postinstall to write to its stdout/stderr when redirected via pipes to
-# update_engine.
-allow postinstall update_engine:fd use;
-allow postinstall update_engine:fifo_file rw_file_perms;
-
-# Allow postinstall to read and execute directories and files in the same
-# mounted location.
-allow postinstall postinstall_file:file rx_file_perms;
-allow postinstall postinstall_file:lnk_file r_file_perms;
-allow postinstall postinstall_file:dir r_dir_perms;
-
-# Allow postinstall to execute the shell or other system executables.
-allow postinstall shell_exec:file rx_file_perms;
-allow postinstall system_file:file rx_file_perms;
-allow postinstall toolbox_exec:file rx_file_perms;
diff --git a/ppp.te b/ppp.te
deleted file mode 100644
index d7ed70d..0000000
--- a/ppp.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# Point to Point Protocol daemon
-type ppp, domain, domain_deprecated;
-type ppp_device, dev_type;
-type ppp_exec, exec_type, file_type;
-domain_auto_trans(mtp, ppp_exec, ppp)
-
-net_domain(ppp)
-
-allow ppp mtp:socket rw_socket_perms;
-allow ppp mtp:unix_dgram_socket rw_socket_perms;
-allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:capability net_admin;
-allow ppp system_file:file rx_file_perms;
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;
diff --git a/priv_app.te b/priv_app.te
deleted file mode 100644
index 9146263..0000000
--- a/priv_app.te
+++ /dev/null
@@ -1,123 +0,0 @@
-###
-### A domain for further sandboxing privileged apps.
-###
-type priv_app, domain, domain_deprecated;
-app_domain(priv_app)
-# Access the network.
-net_domain(priv_app)
-# Access bluetooth.
-bluetooth_domain(priv_app)
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow priv_app app_data_file:file rx_file_perms;
-
-# android.process.media uses /dev/mtp_usb
-allow priv_app mtp_device:chr_file rw_file_perms;
-
-# Allow the allocation and use of ptys
-# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
-create_pty(priv_app)
-
-allow priv_app drmserver_service:service_manager find;
-allow priv_app mediaserver_service:service_manager find;
-allow priv_app nfc_service:service_manager find;
-allow priv_app radio_service:service_manager find;
-allow priv_app surfaceflinger_service:service_manager find;
-allow priv_app app_api_service:service_manager find;
-allow priv_app system_api_service:service_manager find;
-allow priv_app persistent_data_block_service:service_manager find;
-allow priv_app recovery_service:service_manager find;
-
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow priv_app mnt_media_rw_file:dir search;
-
-# Write to /cache.
-allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
-allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
-
-# Access to /data/media.
-allow priv_app media_rw_data_file:dir create_dir_perms;
-allow priv_app media_rw_data_file:file create_file_perms;
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow priv_app shell_data_file:file r_file_perms;
-allow priv_app shell_data_file:dir r_dir_perms;
-
-# Allow verifier to access staged apks.
-allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
-allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-
-# b/18504118: Allow reads from /data/anr/traces.txt
-allow priv_app anr_data_file:file r_file_perms;
-
-# Allow GMS core to access perfprofd output, which is stored
-# in /data/misc/perfprofd/. GMS core will need to list all
-# data stored in that directory to process them one by one.
-userdebug_or_eng(`
-  allow priv_app perfprofd_data_file:file r_file_perms;
-  allow priv_app perfprofd_data_file:dir r_dir_perms;
-')
-
-# Allow GMS core to stat files and executables on
-# the system partition
-allow priv_app exec_type:file getattr;
-
-# For AppFuse.
-allow priv_app vold:fd use;
-allow priv_app fuse_device:chr_file { read write };
-allow priv_app app_fuse_file:dir rw_dir_perms;
-allow priv_app app_fuse_file:file rw_file_perms;
-
-# /sys access
-allow priv_app sysfs_zram:dir search;
-allow priv_app sysfs_zram:file r_file_perms;
-
-# Allow GMS core to communicate with update_engine for A/B update.
-binder_call(priv_app, update_engine)
-allow priv_app update_engine_service:service_manager find;
-
-###
-### neverallow rules
-###
-
-# Receive or send uevent messages.
-neverallow priv_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow priv_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
-
-# Do not allow privileged apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow priv_app service_manager_type:service_manager add;
-
-# Do not allow privileged apps to connect to the property service
-# or set properties. b/10243159
-neverallow priv_app property_socket:sock_file write;
-neverallow priv_app init:unix_stream_socket connectto;
-neverallow priv_app property_type:property_service set;
-
-# Do not allow priv_app to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints.  As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and priv_app is allowed fork permission to itself.
-neverallow priv_app mlstrustedsubject:process fork;
-
-# Do not allow priv_app to hard link to any files.
-# In particular, if priv_app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure priv_app never has this
-# capability.
-neverallow priv_app file_type:file link;
diff --git a/property.te b/property.te
deleted file mode 100644
index 26d15ff..0000000
--- a/property.te
+++ /dev/null
@@ -1,38 +0,0 @@
-type default_prop, property_type, core_property_type;
-type shell_prop, property_type, core_property_type;
-type debug_prop, property_type, core_property_type;
-type dumpstate_prop, property_type, core_property_type;
-type persist_debug_prop, property_type, core_property_type;
-type debuggerd_prop, property_type, core_property_type;
-type dhcp_prop, property_type, core_property_type;
-type fingerprint_prop, property_type, core_property_type;
-type ffs_prop, property_type, core_property_type;
-type radio_prop, property_type, core_property_type;
-type net_radio_prop, property_type, core_property_type;
-type system_radio_prop, property_type, core_property_type;
-type system_prop, property_type, core_property_type;
-type vold_prop, property_type, core_property_type;
-type ctl_bootanim_prop, property_type;
-type ctl_default_prop, property_type;
-type ctl_dhcp_pan_prop, property_type;
-type ctl_dumpstate_prop, property_type;
-type ctl_fuse_prop, property_type;
-type ctl_mdnsd_prop, property_type;
-type ctl_rildaemon_prop, property_type;
-type ctl_bugreport_prop, property_type;
-type ctl_console_prop, property_type;
-type audio_prop, property_type, core_property_type;
-type logd_prop, property_type, core_property_type;
-type mmc_prop, property_type;
-type restorecon_prop, property_type, core_property_type;
-type security_prop, property_type, core_property_type;
-type bluetooth_prop, property_type, core_property_type;
-type pan_result_prop, property_type, core_property_type;
-type powerctl_prop, property_type, core_property_type;
-type nfc_prop, property_type, core_property_type;
-type dalvik_prop, property_type, core_property_type;
-type config_prop, property_type, core_property_type;
-type device_logging_prop, property_type;
-type safemode_prop, property_type;
-
-allow property_type tmpfs:filesystem associate;
diff --git a/property_contexts b/property_contexts
deleted file mode 100644
index 66f1f14..0000000
--- a/property_contexts
+++ /dev/null
@@ -1,92 +0,0 @@
-##########################
-# property service keys
-#
-#
-net.rmnet               u:object_r:net_radio_prop:s0
-net.gprs                u:object_r:net_radio_prop:s0
-net.ppp                 u:object_r:net_radio_prop:s0
-net.qmi                 u:object_r:net_radio_prop:s0
-net.lte                 u:object_r:net_radio_prop:s0
-net.cdma                u:object_r:net_radio_prop:s0
-net.dns                 u:object_r:net_radio_prop:s0
-sys.usb.config          u:object_r:system_radio_prop:s0
-ril.                    u:object_r:radio_prop:s0
-ro.ril.                 u:object_r:radio_prop:s0
-gsm.                    u:object_r:radio_prop:s0
-persist.radio           u:object_r:radio_prop:s0
-
-net.                    u:object_r:system_prop:s0
-dev.                    u:object_r:system_prop:s0
-ro.runtime.             u:object_r:system_prop:s0
-hw.                     u:object_r:system_prop:s0
-ro.hw.                  u:object_r:system_prop:s0
-sys.                    u:object_r:system_prop:s0
-sys.powerctl            u:object_r:powerctl_prop:s0
-sys.usb.ffs.            u:object_r:ffs_prop:s0
-service.                u:object_r:system_prop:s0
-wlan.                   u:object_r:system_prop:s0
-dhcp.                   u:object_r:dhcp_prop:s0
-dhcp.bt-pan.result      u:object_r:pan_result_prop:s0
-bluetooth.              u:object_r:bluetooth_prop:s0
-
-debug.                  u:object_r:debug_prop:s0
-debug.db.               u:object_r:debuggerd_prop:s0
-dumpstate.              u:object_r:dumpstate_prop:s0
-log.                    u:object_r:shell_prop:s0
-service.adb.root        u:object_r:shell_prop:s0
-service.adb.tcp.port    u:object_r:shell_prop:s0
-
-persist.audio.          u:object_r:audio_prop:s0
-persist.bluetooth.      u:object_r:bluetooth_prop:s0
-persist.debug.          u:object_r:persist_debug_prop:s0
-persist.logd.           u:object_r:logd_prop:s0
-persist.logd.security   u:object_r:device_logging_prop:s0
-persist.log.tag         u:object_r:logd_prop:s0
-persist.mmc.            u:object_r:mmc_prop:s0
-persist.sys.            u:object_r:system_prop:s0
-persist.sys.safemode    u:object_r:safemode_prop:s0
-persist.sys.audit_safemode      u:object_r:safemode_prop:s0
-persist.service.        u:object_r:system_prop:s0
-persist.service.bdroid. u:object_r:bluetooth_prop:s0
-persist.security.       u:object_r:system_prop:s0
-
-# Boolean property set by system server upon boot indicating
-# if device owner is provisioned.
-ro.device_owner         u:object_r:device_logging_prop:s0
-
-# selinux non-persistent properties
-selinux.restorecon_recursive   u:object_r:restorecon_prop:s0
-selinux.                       u:object_r:security_prop:s0
-
-# default property context
-*                       u:object_r:default_prop:s0
-
-# data partition encryption properties
-vold.                   u:object_r:vold_prop:s0
-ro.crypto.              u:object_r:vold_prop:s0
-
-# ro.build.fingerprint is either set in /system/build.prop, or is
-# set at runtime by system_server.
-ro.build.fingerprint    u:object_r:fingerprint_prop:s0
-
-# ctl properties
-ctl.bootanim            u:object_r:ctl_bootanim_prop:s0
-ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
-ctl.fuse_               u:object_r:ctl_fuse_prop:s0
-ctl.mdnsd               u:object_r:ctl_mdnsd_prop:s0
-ctl.ril-daemon          u:object_r:ctl_rildaemon_prop:s0
-ctl.bugreport           u:object_r:ctl_bugreport_prop:s0
-ctl.dhcpcd_bt-pan       u:object_r:ctl_dhcp_pan_prop:s0
-ctl.console             u:object_r:ctl_console_prop:s0
-ctl.                    u:object_r:ctl_default_prop:s0
-
-# NFC properties
-nfc.                    u:object_r:nfc_prop:s0
-
-# These properties are not normally set by processes other than init.
-# They are only distinguished here for setting by qemu-props on the
-# emulator/goldfish.
-config.                 u:object_r:config_prop:s0
-ro.config.              u:object_r:config_prop:s0
-dalvik.                 u:object_r:dalvik_prop:s0
-ro.dalvik.              u:object_r:dalvik_prop:s0
diff --git a/racoon.te b/racoon.te
deleted file mode 100644
index bf272d1..0000000
--- a/racoon.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# IKE key management daemon
-type racoon, domain, domain_deprecated;
-type racoon_exec, exec_type, file_type;
-
-init_daemon_domain(racoon)
-typeattribute racoon mlstrustedsubject;
-
-net_domain(racoon)
-
-binder_use(racoon)
-
-allow racoon tun_device:chr_file r_file_perms;
-allow racoon cgroup:dir { add_name create };
-allow racoon kernel:system module_request;
-
-allow racoon self:key_socket create_socket_perms;
-allow racoon self:tun_socket create_socket_perms;
-allow racoon self:capability { net_admin net_bind_service net_raw setuid };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon system_file:file rx_file_perms;
-allow racoon vpn_data_file:file create_file_perms;
-allow racoon vpn_data_file:dir w_dir_perms;
-
-use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
-	get
-	sign
-	verify
-};
diff --git a/radio.te b/radio.te
deleted file mode 100644
index 448fdb5..0000000
--- a/radio.te
+++ /dev/null
@@ -1,35 +0,0 @@
-# phone subsystem
-type radio, domain, domain_deprecated, mlstrustedsubject;
-app_domain(radio)
-net_domain(radio)
-bluetooth_domain(radio)
-binder_service(radio)
-
-# Talks to rild via the rild socket.
-unix_socket_connect(radio, rild, rild)
-
-# Data file accesses.
-allow radio radio_data_file:dir create_dir_perms;
-allow radio radio_data_file:notdevfile_class_set create_file_perms;
-
-allow radio alarm_device:chr_file rw_file_perms;
-
-allow radio net_data_file:dir search;
-allow radio net_data_file:file r_file_perms;
-
-# Property service
-set_prop(radio, radio_prop)
-set_prop(radio, system_radio_prop)
-set_prop(radio, net_radio_prop)
-auditallow radio net_radio_prop:property_service set;
-auditallow radio system_radio_prop:property_service set;
-
-# ctl interface
-set_prop(radio, ctl_rildaemon_prop)
-
-allow radio drmserver_service:service_manager find;
-allow radio mediaserver_service:service_manager find;
-allow radio radio_service:service_manager { add find };
-allow radio surfaceflinger_service:service_manager find;
-allow radio app_api_service:service_manager find;
-allow radio system_api_service:service_manager find;
diff --git a/recovery.te b/recovery.te
deleted file mode 100644
index d5767ed..0000000
--- a/recovery.te
+++ /dev/null
@@ -1,121 +0,0 @@
-# recovery console (used in recovery init.rc for /sbin/recovery)
-
-# Declare the domain unconditionally so we can always reference it
-# in neverallow rules.
-type recovery, domain, domain_deprecated;
-
-# But the allow rules are only included in the recovery policy.
-# Otherwise recovery is only allowed the domain rules.
-recovery_only(`
-  allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
-
-  # Set security contexts on files that are not known to the loaded policy.
-  allow recovery self:capability2 mac_admin;
-
-  # Run helpers from / or /system without changing domain.
-  allow recovery rootfs:file execute_no_trans;
-  allow recovery system_file:file execute_no_trans;
-  allow recovery toolbox_exec:file rx_file_perms;
-
-  # Mount filesystems.
-  allow recovery rootfs:dir mounton;
-  allow recovery fs_type:filesystem ~relabelto;
-  allow recovery unlabeled:filesystem ~relabelto;
-  allow recovery contextmount_type:filesystem relabelto;
-
-  # Create and relabel files and directories under /system.
-  allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
-  allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
-  allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
-
-  # We may be asked to set an SELinux label for a type not known to the
-  # currently loaded policy. Allow it.
-  allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
-  allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
-
-  # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
-  # support to OTAs. However, that code has a bug. When an update occurs,
-  # some directories are inappropriately labeled as exec_type. This is
-  # only transient, and subsequent steps in the OTA script correct this
-  # mistake. New devices are moving to block based OTAs, so this is not
-  # worth fixing. b/15575013
-  allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
-
-  # Write to /proc/sys/vm/drop_caches
-  allow recovery proc_drop_caches:file w_file_perms;
-
-  # Write to /sys/class/android_usb/android0/enable.
-  # TODO: create more specific label?
-  allow recovery sysfs:file w_file_perms;
-
-  allow recovery sysfs_batteryinfo:file r_file_perms;
-
-  allow recovery kernel:system syslog_read;
-
-  # Access /dev/android_adb or /dev/usb-ffs/adb/ep0
-  allow recovery adb_device:chr_file rw_file_perms;
-  allow recovery functionfs:dir search;
-  allow recovery functionfs:file rw_file_perms;
-
-  # Required to e.g. wipe userdata/cache.
-  allow recovery device:dir r_dir_perms;
-  allow recovery block_device:dir r_dir_perms;
-  allow recovery dev_type:blk_file rw_file_perms;
-
-  # GUI
-  allow recovery self:process execmem;
-  allow recovery ashmem_device:chr_file execute;
-  allow recovery graphics_device:chr_file rw_file_perms;
-  allow recovery graphics_device:dir r_dir_perms;
-  allow recovery input_device:dir r_dir_perms;
-  allow recovery input_device:chr_file r_file_perms;
-  allow recovery tty_device:chr_file rw_file_perms;
-
-  # Create /tmp/recovery.log and execute /tmp/update_binary.
-  allow recovery tmpfs:file { create_file_perms x_file_perms };
-  allow recovery tmpfs:dir create_dir_perms;
-
-  # Manage files on /cache and /cache/recovery
-  allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
-  allow recovery { cache_file cache_recovery_file }:file create_file_perms;
-
-  # Read files on /oem.
-  r_dir_file(recovery, oemfs);
-
-  # Reboot the device
-  set_prop(recovery, powerctl_prop)
-
-  # Start/stop adbd via ctl.start adbd
-  set_prop(recovery, ctl_default_prop)
-
-  # Use setfscreatecon() to label files for OTA updates.
-  allow recovery self:process setfscreate;
-
-  # Allow recovery to create a fuse filesystem, and read files from it.
-  allow recovery fuse_device:chr_file rw_file_perms;
-  allow recovery fuse:dir r_dir_perms;
-  allow recovery fuse:file r_file_perms;
-
-  wakelock_use(recovery)
-
-  # This line seems suspect, as it should not really need to
-  # set scheduling parameters for a kernel domain task.
-  allow recovery kernel:process setsched;
-')
-
-###
-### neverallow rules
-###
-
-# Recovery should never touch /data.
-#
-# In particular, if /data is encrypted, it is not accessible
-# to recovery anyway.
-#
-# For now, we only enforce write/execute restrictions, as domain.te
-# contains a number of read-only rules that apply to all
-# domains, including recovery.
-#
-# TODO: tighten this up further.
-neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
-neverallow recovery data_file_type:dir no_w_dir_perms;
diff --git a/recovery_persist.te b/recovery_persist.te
deleted file mode 100644
index 19a240f..0000000
--- a/recovery_persist.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# android recovery persistent log manager
-type recovery_persist, domain;
-type recovery_persist_exec, exec_type, file_type;
-
-init_daemon_domain(recovery_persist)
-
-allow recovery_persist pstorefs:dir search;
-allow recovery_persist pstorefs:file r_file_perms;
-
-allow recovery_persist recovery_data_file:file create_file_perms;
-allow recovery_persist recovery_data_file:dir create_dir_perms;
-
-###
-### Neverallow rules
-###
-### recovery_persist should NEVER do any of this
-
-# Block device access.
-neverallow recovery_persist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_persist domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_persist system_file:dir_file_class_set write;
-
-# Write to files in /data/data
-neverallow recovery_persist { app_data_file system_data_file }:dir_file_class_set write;
-
-# recovery_persist is not allowed to write anywhere other than recovery_data_file
-neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/recovery_refresh.te b/recovery_refresh.te
deleted file mode 100644
index 9fae110..0000000
--- a/recovery_refresh.te
+++ /dev/null
@@ -1,29 +0,0 @@
-# android recovery refresh log manager
-type recovery_refresh, domain;
-type recovery_refresh_exec, exec_type, file_type;
-
-init_daemon_domain(recovery_refresh)
-
-allow recovery_refresh pstorefs:dir search;
-allow recovery_refresh pstorefs:file r_file_perms;
-# NB: domain inherits write_logd which hands us write to pmsg_device
-
-###
-### Neverallow rules
-###
-### recovery_refresh should NEVER do any of this
-
-# Block device access.
-neverallow recovery_refresh dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_refresh domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_refresh system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file system_data_file }:dir_file_class_set write;
-
-# recovery_refresh is not allowed to write anywhere
-neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/rild.te b/rild.te
deleted file mode 100644
index e2856a3..0000000
--- a/rild.te
+++ /dev/null
@@ -1,47 +0,0 @@
-# rild - radio interface layer daemon
-type rild, domain, domain_deprecated;
-type rild_exec, exec_type, file_type;
-
-init_daemon_domain(rild)
-net_domain(rild)
-allow rild self:netlink_route_socket nlmsg_write;
-allow rild kernel:system module_request;
-allow rild self:capability { setuid net_admin net_raw };
-allow rild alarm_device:chr_file rw_file_perms;
-allow rild cgroup:dir create_dir_perms;
-allow rild radio_device:chr_file rw_file_perms;
-allow rild radio_device:blk_file r_file_perms;
-allow rild mtd_device:dir search;
-allow rild efs_file:dir create_dir_perms;
-allow rild efs_file:file create_file_perms;
-allow rild shell_exec:file rx_file_perms;
-allow rild bluetooth_efs_file:file r_file_perms;
-allow rild bluetooth_efs_file:dir r_dir_perms;
-allow rild radio_data_file:dir rw_dir_perms;
-allow rild radio_data_file:file create_file_perms;
-allow rild sdcard_type:dir r_dir_perms;
-allow rild system_data_file:dir r_dir_perms;
-allow rild system_data_file:file r_file_perms;
-allow rild system_file:file x_file_perms;
-
-# property service
-set_prop(rild, radio_prop)
-set_prop(rild, net_radio_prop)
-set_prop(rild, system_radio_prop)
-auditallow rild net_radio_prop:property_service set;
-auditallow rild system_radio_prop:property_service set;
-
-# Read/Write to uart driver (for GPS)
-allow rild gps_device:chr_file rw_file_perms;
-
-allow rild tty_device:chr_file rw_file_perms;
-
-# Allow rild to create and use netlink sockets.
-allow rild self:netlink_socket create_socket_perms;
-allow rild self:netlink_generic_socket create_socket_perms;
-allow rild self:netlink_kobject_uevent_socket create_socket_perms;
-
-# Access to wake locks
-wakelock_use(rild)
-
-allow rild self:socket create_socket_perms;
diff --git a/roles b/roles
deleted file mode 100644
index af5fe8b..0000000
--- a/roles
+++ /dev/null
@@ -1,2 +0,0 @@
-role r;
-role r types domain;
diff --git a/runas.te b/runas.te
deleted file mode 100644
index 58a1bdc..0000000
--- a/runas.te
+++ /dev/null
@@ -1,33 +0,0 @@
-type runas, domain, domain_deprecated, mlstrustedsubject;
-type runas_exec, exec_type, file_type;
-
-# ndk-gdb invokes adb shell run-as.
-domain_auto_trans(shell, runas_exec, runas)
-allow runas adbd:process sigchld;
-allow runas shell:fd use;
-allow runas shell:fifo_file { read write };
-allow runas devpts:chr_file { read write ioctl };
-allow runas shell_data_file:file { read write };
-
-# run-as reads package information.
-allow runas system_data_file:file r_file_perms;
-
-# run-as checks and changes to the app data dir.
-dontaudit runas self:capability dac_override;
-allow runas app_data_file:dir { getattr search };
-
-# run-as switches to the app UID/GID.
-allow runas self:capability { setuid setgid };
-
-# run-as switches to the app security context.
-selinux_check_context(runas) # validate context
-allow runas self:process setcurrent;
-allow runas non_system_app_set:process dyntransition; # setcon
-
-###
-### neverallow rules
-###
-
-# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow runas self:capability ~{ setuid setgid };
-neverallow runas self:capability2 *;
diff --git a/sdcardd.te b/sdcardd.te
deleted file mode 100644
index 846c59b..0000000
--- a/sdcardd.te
+++ /dev/null
@@ -1,40 +0,0 @@
-type sdcardd, domain, domain_deprecated;
-type sdcardd_exec, exec_type, file_type;
-
-allow sdcardd cgroup:dir create_dir_perms;
-allow sdcardd fuse_device:chr_file rw_file_perms;
-allow sdcardd rootfs:dir mounton;  # TODO: deprecated in M
-allow sdcardd tmpfs:dir r_dir_perms;
-allow sdcardd mnt_media_rw_file:dir r_dir_perms;
-allow sdcardd storage_file:dir search;
-allow sdcardd storage_stub_file:dir { search mounton };
-allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
-
-allow sdcardd sdcard_type:dir create_dir_perms;
-allow sdcardd sdcard_type:file create_file_perms;
-
-type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
-allow sdcardd media_rw_data_file:dir create_dir_perms;
-allow sdcardd media_rw_data_file:file create_file_perms;
-
-# Read /data/system/packages.list.
-allow sdcardd system_data_file:file r_file_perms;
-
-# Read /data/.layout_version
-allow sdcardd install_data_file:file r_file_perms;
-
-# Allow stdin/out back to vold
-allow sdcardd vold:fd use;
-allow sdcardd vold:fifo_file { read write getattr };
-
-# Allow running on top of expanded storage
-allow sdcardd mnt_expand_file:dir search;
-
-###
-### neverallow rules
-###
-
-# The sdcard daemon should no longer be started from init
-neverallow init sdcardd_exec:file execute;
-neverallow init sdcardd:process { transition dyntransition };
diff --git a/seapp_contexts b/seapp_contexts
deleted file mode 100644
index d8d2240..0000000
--- a/seapp_contexts
+++ /dev/null
@@ -1,92 +0,0 @@
-# Input selectors:
-#	isSystemServer (boolean)
-#	isOwner (boolean)
-#	user (string)
-#	seinfo (string)
-#	name (string)
-#	path (string)
-#	isPrivApp (boolean)
-# isSystemServer=true can only be used once.
-# An unspecified isSystemServer defaults to false.
-# isOwner=true will only match for the owner/primary user.
-# isOwner=false will only match for secondary users.
-# If unspecified, the entry can match either case.
-# An unspecified string selector will match any value.
-# A user string selector that ends in * will perform a prefix match.
-# user=_app will match any regular app UID.
-# user=_isolated will match any isolated service UID.
-# isPrivApp=true will only match for applications preinstalled in
-#       /system/priv-app.
-# All specified input selectors in an entry must match (i.e. logical AND).
-# Matching is case-insensitive.
-#
-# Precedence rules:
-# 	  (1) isSystemServer=true before isSystemServer=false.
-# 	  (2) Specified isOwner= before unspecified isOwner= boolean.
-#	  (3) Specified user= string before unspecified user= string.
-#	  (4) Fixed user= string before user= prefix (i.e. ending in *).
-#	  (5) Longer user= prefix before shorter user= prefix.
-#	  (6) Specified seinfo= string before unspecified seinfo= string.
-#	      ':' character is reserved and may not be used.
-#	  (7) Specified name= string before unspecified name= string.
-#	  (8) Specified path= string before unspecified path= string.
-# 	  (9) Specified isPrivApp= before unspecified isPrivApp= boolean.
-#
-# Outputs:
-#	domain (string)
-#	type (string)
-#	levelFrom (string; one of none, all, app, or user)
-#	level (string)
-# Only entries that specify domain= will be used for app process labeling.
-# Only entries that specify type= will be used for app directory labeling.
-# levelFrom=user is only supported for _app or _isolated UIDs.
-# levelFrom=app or levelFrom=all is only supported for _app UIDs.
-# level may be used to specify a fixed level for any UID.
-#
-#
-# Neverallow Assertions
-# Additional compile time assertion checks can be added as well. The assertion
-# rules are lines beginning with the keyword neverallow. Full support for PCRE
-# regular expressions exists on all input and output selectors. Neverallow
-# rules are never output to the built seapp_contexts file. Like all keywords,
-# neverallows are case-insensitive. A neverallow is asserted when all key value
-# inputs are matched on a key value rule line.
-#
-
-# only the system server can be in system_server domain
-neverallow isSystemServer=false domain=system_server
-neverallow isSystemServer="" domain=system_server
-
-# system domains should never be assigned outside of system uid
-neverallow user=((?!system).)* domain=system_app
-neverallow user=((?!system).)* type=system_app_data_file
-
-# anything with a non-known uid with a specified name should have a specified seinfo
-neverallow user=_app name=.* seinfo=""
-neverallow user=_app name=.* seinfo=default
-
-# neverallow shared relro to any other domain
-# and neverallow any other uid into shared_relro
-neverallow user=shared_relro domain=((?!shared_relro).)*
-neverallow user=((?!shared_relro).)* domain=shared_relro
-
-# neverallow non-isolated uids into isolated_app domain
-# and vice versa
-neverallow user=_isolated domain=((?!isolated_app).)*
-neverallow user=((?!_isolated).)* domain=isolated_app
-
-# uid shell should always be in shell domain, however non-shell
-# uid's can be in shell domain
-neverallow user=shell domain=((?!shell).)*
-
-isSystemServer=true domain=system_server
-user=system seinfo=platform domain=system_app type=system_app_data_file
-user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=nfc seinfo=platform domain=nfc type=nfc_data_file
-user=radio seinfo=platform domain=radio type=radio_data_file
-user=shared_relro domain=shared_relro
-user=shell seinfo=platform domain=shell type=shell_data_file
-user=_isolated domain=isolated_app levelFrom=user
-user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
-user=_app domain=untrusted_app type=app_data_file levelFrom=user
diff --git a/security_classes b/security_classes
deleted file mode 100644
index 680d3dd..0000000
--- a/security_classes
+++ /dev/null
@@ -1,110 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_firewall_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_ip6fw_socket
-class netlink_dnrt_socket
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-class appletalk_socket
-
-class packet
-
-# Kernel access key retention
-class key
-
-class dccp_socket
-
-class memprotect
-
-# network peer labels
-class peer
-
-# Capabilities >= 32
-class capability2
-
-# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
-
-class tun_socket
-
-class binder
-
-# Updated netlink classes for more recent netlink protocols.
-class netlink_iscsi_socket
-class netlink_fib_lookup_socket
-class netlink_connector_socket
-class netlink_netfilter_socket
-class netlink_generic_socket
-class netlink_scsitransport_socket
-class netlink_rdma_socket
-class netlink_crypto_socket
-
-# Property service
-class property_service          # userspace
-
-# Service manager
-class service_manager           # userspace
-
-# Keystore Key
-class keystore_key              # userspace
-
-# debuggerd service
-class debuggerd                 # userspace
-
-class drmservice                # userspace
-# FLASK
diff --git a/service.te b/service.te
deleted file mode 100644
index fb5b9f4..0000000
--- a/service.te
+++ /dev/null
@@ -1,106 +0,0 @@
-type bluetooth_service,         service_manager_type;
-type default_android_service,   service_manager_type;
-type drmserver_service,         service_manager_type;
-type gatekeeper_service,        app_api_service, service_manager_type;
-type fingerprintd_service,      service_manager_type;
-type batteryproperties_service, app_api_service, service_manager_type;
-type inputflinger_service,      service_manager_type;
-type keystore_service,          service_manager_type;
-type mediaserver_service,       service_manager_type;
-type nfc_service,               service_manager_type;
-type radio_service,             service_manager_type;
-type surfaceflinger_service,    service_manager_type;
-type system_app_service,        service_manager_type;
-type update_engine_service,     service_manager_type;
-
-# system_server_services broken down
-type accessibility_service, app_api_service, system_server_service, service_manager_type;
-type account_service, app_api_service, system_server_service, service_manager_type;
-type activity_service, app_api_service, system_server_service, service_manager_type;
-type alarm_service, app_api_service, system_server_service, service_manager_type;
-type appops_service, app_api_service, system_server_service, service_manager_type;
-type appwidget_service, app_api_service, system_server_service, service_manager_type;
-type assetatlas_service, app_api_service, system_server_service, service_manager_type;
-type audio_service, app_api_service, system_server_service, service_manager_type;
-type backup_service, app_api_service, system_server_service, service_manager_type;
-type batterystats_service, app_api_service, system_server_service, service_manager_type;
-type battery_service, system_server_service, service_manager_type;
-type bluetooth_manager_service, app_api_service, system_server_service, service_manager_type;
-type cameraproxy_service, system_server_service, service_manager_type;
-type clipboard_service, app_api_service, system_server_service, service_manager_type;
-type IProxyService_service, system_api_service, system_server_service, service_manager_type;
-type commontime_management_service, system_server_service, service_manager_type;
-type connectivity_service, app_api_service, system_server_service, service_manager_type;
-type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
-type content_service, app_api_service, system_server_service, service_manager_type;
-type country_detector_service, app_api_service, system_server_service, service_manager_type;
-type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
-type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type deviceidle_service, app_api_service, system_server_service, service_manager_type;
-type devicestoragemonitor_service, system_server_service, service_manager_type;
-type diskstats_service, system_api_service, system_server_service, service_manager_type;
-type display_service, app_api_service, system_server_service, service_manager_type;
-type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, app_api_service, system_server_service, service_manager_type;
-type dropbox_service, app_api_service, system_server_service, service_manager_type;
-type ethernet_service, app_api_service, system_server_service, service_manager_type;
-type fingerprint_service, app_api_service, system_server_service, service_manager_type;
-type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
-type graphicsstats_service, app_api_service, system_server_service, service_manager_type;
-type hardware_service, system_server_service, service_manager_type;
-type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
-type input_method_service, app_api_service, system_server_service, service_manager_type;
-type input_service, app_api_service, system_server_service, service_manager_type;
-type imms_service, app_api_service, system_server_service, service_manager_type;
-type jobscheduler_service, app_api_service, system_server_service, service_manager_type;
-type launcherapps_service, app_api_service, system_server_service, service_manager_type;
-type location_service, app_api_service, system_server_service, service_manager_type;
-type lock_settings_service, system_api_service, system_server_service, service_manager_type;
-type media_projection_service, app_api_service, system_server_service, service_manager_type;
-type media_router_service, app_api_service, system_server_service, service_manager_type;
-type media_session_service, app_api_service, system_server_service, service_manager_type;
-type meminfo_service, system_api_service, system_server_service, service_manager_type;
-type midi_service, app_api_service, system_server_service, service_manager_type;
-type mount_service, app_api_service, system_server_service, service_manager_type;
-type netpolicy_service, app_api_service, system_server_service, service_manager_type;
-type netstats_service, app_api_service, system_server_service, service_manager_type;
-type network_management_service, app_api_service, system_server_service, service_manager_type;
-type network_score_service, system_api_service, system_server_service, service_manager_type;
-type notification_service, app_api_service, system_server_service, service_manager_type;
-type package_service, app_api_service, system_server_service, service_manager_type;
-type permission_service, app_api_service, system_server_service, service_manager_type;
-type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
-type power_service, app_api_service, system_server_service, service_manager_type;
-type print_service, app_api_service, system_server_service, service_manager_type;
-type processinfo_service, system_server_service, service_manager_type;
-type procstats_service, app_api_service, system_server_service, service_manager_type;
-type recovery_service, system_server_service, service_manager_type;
-type registry_service, app_api_service, system_server_service, service_manager_type;
-type restrictions_service, app_api_service, system_server_service, service_manager_type;
-type rttmanager_service, app_api_service, system_server_service, service_manager_type;
-type samplingprofiler_service, system_server_service, service_manager_type;
-type scheduling_policy_service, system_server_service, service_manager_type;
-type search_service, app_api_service, system_server_service, service_manager_type;
-type sensorservice_service, app_api_service, system_server_service, service_manager_type;
-type serial_service, system_api_service, system_server_service, service_manager_type;
-type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
-type statusbar_service, app_api_service, system_server_service, service_manager_type;
-type task_service, system_server_service, service_manager_type;
-type textservices_service, app_api_service, system_server_service, service_manager_type;
-type telecom_service, app_api_service, system_server_service, service_manager_type;
-type trust_service, app_api_service, system_server_service, service_manager_type;
-type tv_input_service, app_api_service, system_server_service, service_manager_type;
-type uimode_service, app_api_service, system_server_service, service_manager_type;
-type updatelock_service, system_api_service, system_server_service, service_manager_type;
-type usagestats_service, app_api_service, system_server_service, service_manager_type;
-type usb_service, app_api_service, system_server_service, service_manager_type;
-type user_service, app_api_service, system_server_service, service_manager_type;
-type vibrator_service, app_api_service, system_server_service, service_manager_type;
-type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
-type wallpaper_service, app_api_service, system_server_service, service_manager_type;
-type webviewupdate_service, app_api_service, system_server_service, service_manager_type;
-type wifip2p_service, app_api_service, system_server_service, service_manager_type;
-type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
-type wifi_service, app_api_service, system_server_service, service_manager_type;
-type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
deleted file mode 100644
index 0e77818..0000000
--- a/service_contexts
+++ /dev/null
@@ -1,132 +0,0 @@
-accessibility                             u:object_r:accessibility_service:s0
-account                                   u:object_r:account_service:s0
-activity                                  u:object_r:activity_service:s0
-alarm                                     u:object_r:alarm_service:s0
-android.os.UpdateEngineService            u:object_r:update_engine_service:s0
-android.security.keystore                 u:object_r:keystore_service:s0
-android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
-appops                                    u:object_r:appops_service:s0
-appwidget                                 u:object_r:appwidget_service:s0
-assetatlas                                u:object_r:assetatlas_service:s0
-audio                                     u:object_r:audio_service:s0
-backup                                    u:object_r:backup_service:s0
-batteryproperties                         u:object_r:batteryproperties_service:s0
-batterystats                              u:object_r:batterystats_service:s0
-battery                                   u:object_r:battery_service:s0
-bluetooth_manager                         u:object_r:bluetooth_manager_service:s0
-bluetooth                                 u:object_r:bluetooth_service:s0
-carrier_config                            u:object_r:radio_service:s0
-clipboard                                 u:object_r:clipboard_service:s0
-com.android.net.IProxyService             u:object_r:IProxyService_service:s0
-commontime_management                     u:object_r:commontime_management_service:s0
-common_time.clock                        u:object_r:mediaserver_service:s0
-common_time.config                       u:object_r:mediaserver_service:s0
-connectivity                              u:object_r:connectivity_service:s0
-consumer_ir                               u:object_r:consumer_ir_service:s0
-content                                   u:object_r:content_service:s0
-country_detector                          u:object_r:country_detector_service:s0
-cpuinfo                                   u:object_r:cpuinfo_service:s0
-dbinfo                                    u:object_r:dbinfo_service:s0
-device_policy                             u:object_r:device_policy_service:s0
-deviceidle                                u:object_r:deviceidle_service:s0
-devicestoragemonitor                      u:object_r:devicestoragemonitor_service:s0
-diskstats                                 u:object_r:diskstats_service:s0
-display.qservice                          u:object_r:surfaceflinger_service:s0
-display                                   u:object_r:display_service:s0
-DockObserver                              u:object_r:DockObserver_service:s0
-dreams                                    u:object_r:dreams_service:s0
-drm.drmManager                            u:object_r:drmserver_service:s0
-dropbox                                   u:object_r:dropbox_service:s0
-ethernet                                  u:object_r:ethernet_service:s0
-fingerprint                               u:object_r:fingerprint_service:s0
-android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
-gfxinfo                                   u:object_r:gfxinfo_service:s0
-graphicsstats                             u:object_r:graphicsstats_service:s0
-hardware                                  u:object_r:hardware_service:s0
-hdmi_control                              u:object_r:hdmi_control_service:s0
-inputflinger                              u:object_r:inputflinger_service:s0
-input_method                              u:object_r:input_method_service:s0
-input                                     u:object_r:input_service:s0
-iphonesubinfo_msim                        u:object_r:radio_service:s0
-iphonesubinfo2                            u:object_r:radio_service:s0
-iphonesubinfo                             u:object_r:radio_service:s0
-ims                                       u:object_r:radio_service:s0
-imms                                      u:object_r:imms_service:s0
-isms_msim                                 u:object_r:radio_service:s0
-isms2                                     u:object_r:radio_service:s0
-isms                                      u:object_r:radio_service:s0
-isub                                      u:object_r:radio_service:s0
-jobscheduler                              u:object_r:jobscheduler_service:s0
-launcherapps                              u:object_r:launcherapps_service:s0
-location                                  u:object_r:location_service:s0
-lock_settings                             u:object_r:lock_settings_service:s0
-media.audio_flinger                       u:object_r:mediaserver_service:s0
-media.audio_policy                        u:object_r:mediaserver_service:s0
-media.camera                              u:object_r:mediaserver_service:s0
-media.camera.proxy                        u:object_r:cameraproxy_service:s0
-media.log                                 u:object_r:mediaserver_service:s0
-media.player                              u:object_r:mediaserver_service:s0
-media.resource_manager                    u:object_r:mediaserver_service:s0
-media.radio                               u:object_r:mediaserver_service:s0
-media.sound_trigger_hw                    u:object_r:mediaserver_service:s0
-media_projection                          u:object_r:media_projection_service:s0
-media_router                              u:object_r:media_router_service:s0
-media_session                             u:object_r:media_session_service:s0
-meminfo                                   u:object_r:meminfo_service:s0
-midi                                      u:object_r:midi_service:s0
-mount                                     u:object_r:mount_service:s0
-netpolicy                                 u:object_r:netpolicy_service:s0
-netstats                                  u:object_r:netstats_service:s0
-network_management                        u:object_r:network_management_service:s0
-network_score                             u:object_r:network_score_service:s0
-nfc                                       u:object_r:nfc_service:s0
-notification                              u:object_r:notification_service:s0
-package                                   u:object_r:package_service:s0
-permission                                u:object_r:permission_service:s0
-persistent_data_block                     u:object_r:persistent_data_block_service:s0
-phone_msim                                u:object_r:radio_service:s0
-phone1                                    u:object_r:radio_service:s0
-phone2                                    u:object_r:radio_service:s0
-phone                                     u:object_r:radio_service:s0
-power                                     u:object_r:power_service:s0
-print                                     u:object_r:print_service:s0
-processinfo                               u:object_r:processinfo_service:s0
-procstats                                 u:object_r:procstats_service:s0
-radio.phonesubinfo                        u:object_r:radio_service:s0
-radio.phone                               u:object_r:radio_service:s0
-radio.sms                                 u:object_r:radio_service:s0
-recovery                                  u:object_r:recovery_service:s0
-restrictions                              u:object_r:restrictions_service:s0
-rttmanager                                u:object_r:rttmanager_service:s0
-samplingprofiler                          u:object_r:samplingprofiler_service:s0
-scheduling_policy                         u:object_r:scheduling_policy_service:s0
-search                                    u:object_r:search_service:s0
-sensorservice                             u:object_r:sensorservice_service:s0
-serial                                    u:object_r:serial_service:s0
-servicediscovery                          u:object_r:servicediscovery_service:s0
-simphonebook_msim                         u:object_r:radio_service:s0
-simphonebook2                             u:object_r:radio_service:s0
-simphonebook                              u:object_r:radio_service:s0
-sip                                       u:object_r:radio_service:s0
-statusbar                                 u:object_r:statusbar_service:s0
-SurfaceFlinger                            u:object_r:surfaceflinger_service:s0
-task                                      u:object_r:task_service:s0
-telecom                                   u:object_r:telecom_service:s0
-telephony.registry                        u:object_r:registry_service:s0
-textservices                              u:object_r:textservices_service:s0
-trust                                     u:object_r:trust_service:s0
-tv_input                                  u:object_r:tv_input_service:s0
-uimode                                    u:object_r:uimode_service:s0
-updatelock                                u:object_r:updatelock_service:s0
-usagestats                                u:object_r:usagestats_service:s0
-usb                                       u:object_r:usb_service:s0
-user                                      u:object_r:user_service:s0
-vibrator                                  u:object_r:vibrator_service:s0
-voiceinteraction                          u:object_r:voiceinteraction_service:s0
-wallpaper                                 u:object_r:wallpaper_service:s0
-webviewupdate                             u:object_r:webviewupdate_service:s0
-wifip2p                                   u:object_r:wifip2p_service:s0
-wifiscanner                               u:object_r:wifiscanner_service:s0
-wifi                                      u:object_r:wifi_service:s0
-window                                    u:object_r:window_service:s0
-*                                         u:object_r:default_android_service:s0
diff --git a/servicemanager.te b/servicemanager.te
deleted file mode 100644
index 84605d1..0000000
--- a/servicemanager.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# servicemanager - the Binder context manager
-type servicemanager, domain, domain_deprecated, mlstrustedsubject;
-type servicemanager_exec, exec_type, file_type;
-
-init_daemon_domain(servicemanager)
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains.  It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager { domain -init }:binder transfer;
-
-# Check SELinux permissions.
-selinux_check_access(servicemanager)
diff --git a/sgdisk.te b/sgdisk.te
deleted file mode 100644
index 43636d4..0000000
--- a/sgdisk.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# sgdisk called from vold
-type sgdisk, domain, domain_deprecated;
-type sgdisk_exec, exec_type, file_type;
-
-# Allowed to read/write low-level partition tables
-allow sgdisk block_device:dir search;
-allow sgdisk vold_device:blk_file rw_file_perms;
-
-# Inherit and use pty created by android_fork_execvp()
-allow sgdisk devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow sgdisk vold:fd use;
-allow sgdisk vold:fifo_file { read write getattr };
-
-# Used to probe kernel to reload partition tables
-allow sgdisk self:capability sys_admin;
-
-# Only allow entry from vold
-neverallow { domain -vold } sgdisk:process transition;
-neverallow * sgdisk:process dyntransition;
-neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/shared_relro.te b/shared_relro.te
deleted file mode 100644
index 30af14a..0000000
--- a/shared_relro.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain, domain_deprecated;
-
-# The shared relro process is a Java program forked from the zygote, so it
-# inherits from app to get basic permissions it needs to run.
-app_domain(shared_relro)
-
-# Grant write access to the shared relro files/directory.
-allow shared_relro shared_relro_file:dir rw_dir_perms;
-allow shared_relro shared_relro_file:file create_file_perms;
-
-# Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro webviewupdate_service:service_manager find;
diff --git a/shell.te b/shell.te
deleted file mode 100644
index 8878873..0000000
--- a/shell.te
+++ /dev/null
@@ -1,135 +0,0 @@
-# Domain for shell processes spawned by ADB or console service.
-type shell, domain, mlstrustedsubject;
-type shell_exec, exec_type, file_type;
-
-# Create and use network sockets.
-net_domain(shell)
-
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
-# logcat
-read_logd(shell)
-control_logd(shell)
-# logcat -L (directly, or via dumpstate)
-allow shell pstorefs:dir search;
-allow shell pstorefs:file r_file_perms;
-# logpersistd (nee logcatd) files
-userdebug_or_eng(`
-  allow shell misc_logd_file:dir r_dir_perms;
-  allow shell misc_logd_file:file r_file_perms;
-')
-
-# Root fs.
-allow shell rootfs:dir r_dir_perms;
-
-# read files in /data/anr
-allow shell anr_data_file:dir r_dir_perms;
-allow shell anr_data_file:file r_file_perms;
-
-# Access /data/local/tmp.
-allow shell shell_data_file:dir create_dir_perms;
-allow shell shell_data_file:file create_file_perms;
-allow shell shell_data_file:file rx_file_perms;
-allow shell shell_data_file:lnk_file create_file_perms;
-
-# Read/execute files in /data/nativetest
-userdebug_or_eng(`
-  allow shell nativetest_data_file:dir r_dir_perms;
-  allow shell nativetest_data_file:file rx_file_perms;
-')
-
-# adb bugreport
-unix_socket_connect(shell, dumpstate, dumpstate)
-
-allow shell devpts:chr_file rw_file_perms;
-allow shell tty_device:chr_file rw_file_perms;
-allow shell console_device:chr_file rw_file_perms;
-allow shell input_device:dir r_dir_perms;
-allow shell input_device:chr_file rw_file_perms;
-r_dir_file(shell, system_file)
-allow shell system_file:file x_file_perms;
-allow shell toolbox_exec:file rx_file_perms;
-allow shell shell_exec:file rx_file_perms;
-allow shell zygote_exec:file rx_file_perms;
-
-r_dir_file(shell, apk_data_file)
-
-# Set properties.
-set_prop(shell, shell_prop)
-set_prop(shell, ctl_bugreport_prop)
-set_prop(shell, ctl_dumpstate_prop)
-set_prop(shell, dumpstate_prop)
-set_prop(shell, debug_prop)
-set_prop(shell, powerctl_prop)
-
-# systrace support - allow atrace to run
-allow shell debugfs_tracing:dir r_dir_perms;
-allow shell debugfs_tracing:file rw_file_perms;
-allow shell debugfs_trace_marker:file getattr;
-allow shell atrace_exec:file rx_file_perms;
-
-userdebug_or_eng(`
-  # "systrace --boot" support - allow boottrace service to run
-  allow shell boottrace_data_file:dir rw_dir_perms;
-  allow shell boottrace_data_file:file create_file_perms;
-  set_prop(shell, persist_debug_prop)
-')
-
-# allow shell to run dmesg
-allow shell kernel:system syslog_read;
-
-# allow shell access to services
-allow shell servicemanager:service_manager list;
-# don't allow shell to access GateKeeper service
-allow shell { service_manager_type -gatekeeper_service }:service_manager find;
-
-# allow shell to look through /proc/ for ps, top, netstat
-r_dir_file(shell, proc)
-r_dir_file(shell, proc_net)
-r_dir_file(shell, cgroup)
-allow shell domain:dir { search open read getattr };
-allow shell domain:{ file lnk_file } { open read getattr };
-
-# statvfs() of /proc and other labeled filesystems
-# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
-allow shell { proc labeledfs }:filesystem getattr;
-
-# stat() of /dev
-allow shell device:dir getattr;
-
-# allow shell to read /proc/pid/attr/current for ps -Z
-allow shell domain:process getattr;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow shell selinuxfs:dir r_dir_perms;
-allow shell selinuxfs:file r_file_perms;
-
-# enable shell domain to read/write files/dirs for bootchart data
-# User will creates the start and stop file via adb shell
-# and read other files created by init process under /data/bootchart
-allow shell bootchart_data_file:dir rw_dir_perms;
-allow shell bootchart_data_file:file create_file_perms;
-
-# Make sure strace works for the non-privileged shell user
-allow shell self:process ptrace;
-
-# allow shell to get battery info
-allow shell sysfs_batteryinfo:file r_file_perms;
-allow shell sysfs:dir r_dir_perms;
-
-# Allow access to ion memory allocation device.
-allow shell ion_device:chr_file rw_file_perms;
-
-###
-### Neverallow rules
-###
-
-# Do not allow shell to hard link to any files.
-# In particular, if shell hard links to app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure the shell user never has this
-# capability.
-neverallow shell file_type:file link;
diff --git a/slideshow.te b/slideshow.te
deleted file mode 100644
index 3165a65..0000000
--- a/slideshow.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# slideshow seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type slideshow, domain, domain_deprecated;
-
-allow slideshow kmsg_device:chr_file rw_file_perms;
-wakelock_use(slideshow)
-allow slideshow device:dir r_dir_perms;
-allow slideshow self:capability sys_tty_config;
-allow slideshow graphics_device:dir r_dir_perms;
-allow slideshow graphics_device:chr_file rw_file_perms;
-allow slideshow input_device:dir r_dir_perms;
-allow slideshow input_device:chr_file r_file_perms;
-allow slideshow tty_device:chr_file rw_file_perms;
-
diff --git a/su.te b/su.te
deleted file mode 100644
index f58f7a3..0000000
--- a/su.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
-
-userdebug_or_eng(`
-  # Domain used for su processes, as well as for adbd and adb shell
-  # after performing an adb root command.  The domain definition is
-  # wrapped to ensure that it does not exist at all on -user builds.
-  type su, domain, mlstrustedsubject;
-  domain_auto_trans(shell, su_exec, su)
-
-  # Allow dumpstate to call su on userdebug / eng builds to collect
-  # additional information.
-  domain_auto_trans(dumpstate, su_exec, su)
-
-  # Make sure that dumpstate runs the same from the "su" domain as
-  # from the "init" domain.
-  domain_auto_trans(su, dumpstate_exec, dumpstate)
-
-  # su is also permissive to permit setenforce.
-  permissive su;
-
-  # Add su to various domains
-  net_domain(su)
-  app_domain(su)
-
-  dontaudit su self:capability_class_set *;
-  dontaudit su kernel:security *;
-  dontaudit su kernel:system *;
-  dontaudit su self:memprotect *;
-  dontaudit su domain:process *;
-  dontaudit su domain:fd *;
-  dontaudit su domain:dir *;
-  dontaudit su domain:lnk_file *;
-  dontaudit su domain:{ fifo_file file } *;
-  dontaudit su domain:socket_class_set *;
-  dontaudit su domain:ipc_class_set *;
-  dontaudit su domain:key *;
-  dontaudit su fs_type:filesystem *;
-  dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
-  dontaudit su node_type:node *;
-  dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
-  dontaudit su netif_type:netif *;
-  dontaudit su port_type:socket_class_set *;
-  dontaudit su port_type:{ tcp_socket dccp_socket } *;
-  dontaudit su domain:peer *;
-  dontaudit su domain:binder *;
-  dontaudit su property_type:property_service *;
-  dontaudit su property_type:file *;
-  dontaudit su service_manager_type:service_manager *;
-  dontaudit su servicemanager:service_manager list;
-  dontaudit su keystore:keystore_key *;
-  dontaudit su domain:debuggerd *;
-  dontaudit su domain:drmservice *;
-  dontaudit su unlabeled:filesystem *;
-')
diff --git a/surfaceflinger.te b/surfaceflinger.te
deleted file mode 100644
index fbe1dd0..0000000
--- a/surfaceflinger.te
+++ /dev/null
@@ -1,68 +0,0 @@
-# surfaceflinger - display compositor service
-type surfaceflinger, domain, domain_deprecated;
-type surfaceflinger_exec, exec_type, file_type;
-
-init_daemon_domain(surfaceflinger)
-typeattribute surfaceflinger mlstrustedsubject;
-
-# Perform Binder IPC.
-binder_use(surfaceflinger)
-binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, appdomain)
-binder_call(surfaceflinger, bootanim)
-binder_service(surfaceflinger)
-
-# Binder IPC to bu, presently runs in adbd domain.
-binder_call(surfaceflinger, adbd)
-
-# Read /proc/pid files for Binder clients.
-r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, appdomain)
-
-# Access the GPU.
-allow surfaceflinger gpu_device:chr_file rw_file_perms;
-
-# Access /dev/graphics/fb0.
-allow surfaceflinger graphics_device:dir search;
-allow surfaceflinger graphics_device:chr_file rw_file_perms;
-
-# Access /dev/video1.
-allow surfaceflinger video_device:dir r_dir_perms;
-allow surfaceflinger video_device:chr_file rw_file_perms;
-
-# Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms;
-
-# Set properties.
-set_prop(surfaceflinger, system_prop)
-set_prop(surfaceflinger, ctl_bootanim_prop)
-
-# Use open files supplied by an app.
-allow surfaceflinger app_data_file:file { read write };
-
-# Allow a dumpstate triggered screenshot
-binder_call(surfaceflinger, dumpstate)
-binder_call(surfaceflinger, shell)
-r_dir_file(surfaceflinger, dumpstate)
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-allow surfaceflinger tee:unix_stream_socket connectto;
-allow surfaceflinger tee_device:chr_file rw_file_perms;
-
-
-# media.player service
-allow surfaceflinger mediaserver_service:service_manager find;
-allow surfaceflinger permission_service:service_manager find;
-allow surfaceflinger power_service:service_manager find;
-allow surfaceflinger surfaceflinger_service:service_manager { add find };
-allow surfaceflinger window_service:service_manager find;
-
-###
-### Neverallow rules
-###
-### surfaceflinger should NEVER do any of this
-
-# Do not allow accessing SDcard files as unsafe ejection could
-# cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
diff --git a/system_app.te b/system_app.te
deleted file mode 100644
index 355f6d4..0000000
--- a/system_app.te
+++ /dev/null
@@ -1,73 +0,0 @@
-#
-# Apps that run with the system UID, e.g. com.android.system.ui,
-# com.android.settings.  These are not as privileged as the system
-# server.
-#
-type system_app, domain, domain_deprecated;
-app_domain(system_app)
-net_domain(system_app)
-binder_service(system_app)
-
-# Read and write /data/data subdirectory.
-allow system_app system_app_data_file:dir create_dir_perms;
-allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
-
-# Read and write to /data/misc/user.
-allow system_app misc_user_data_file:dir create_dir_perms;
-allow system_app misc_user_data_file:file create_file_perms;
-
-# Access to vold-mounted storage for measuring free space
-allow system_app mnt_media_rw_file:dir search;
-
-# Read wallpaper file.
-allow system_app wallpaper_file:file r_file_perms;
-
-# Write to properties
-set_prop(system_app, bluetooth_prop)
-set_prop(system_app, debug_prop)
-set_prop(system_app, system_prop)
-set_prop(system_app, logd_prop)
-set_prop(system_app, net_radio_prop)
-set_prop(system_app, system_radio_prop)
-auditallow system_app net_radio_prop:property_service set;
-auditallow system_app system_radio_prop:property_service set;
-
-# ctl interface
-set_prop(system_app, ctl_default_prop)
-set_prop(system_app, ctl_bugreport_prop)
-
-# Create /data/anr/traces.txt.
-allow system_app anr_data_file:dir ra_dir_perms;
-allow system_app anr_data_file:file create_file_perms;
-
-# Settings need to access app name and icon from asec
-allow system_app asec_apk_file:file r_file_perms;
-
-allow system_app servicemanager:service_manager list;
-allow system_app service_manager_type:service_manager find;
-
-allow system_app keystore:keystore_key {
-	get_state
-	get
-	insert
-	delete
-	exist
-	list
-	reset
-	password
-	lock
-	unlock
-	is_empty
-	sign
-	verify
-	grant
-	duplicate
-	clear_uid
-	user_changed
-};
-
-# /sys access
-allow system_app sysfs_zram:dir search;
-allow system_app sysfs_zram:file r_file_perms;
-
-control_logd(system_app)
diff --git a/system_server.te b/system_server.te
deleted file mode 100644
index 6ab48e7..0000000
--- a/system_server.te
+++ /dev/null
@@ -1,490 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-type system_server, domain, domain_deprecated, mlstrustedsubject;
-
-# Define a type for tmpfs-backed ashmem regions.
-tmpfs_domain(system_server)
-
-# For art.
-allow system_server dalvikcache_data_file:file execute;
-allow system_server dalvikcache_data_file:dir r_dir_perms;
-
-# /data/resource-cache
-allow system_server resourcecache_data_file:file r_file_perms;
-allow system_server resourcecache_data_file:dir r_dir_perms;
-
-# ptrace to processes in the same domain for debugging crashes.
-allow system_server self:process ptrace;
-
-# Child of the zygote.
-allow system_server zygote:fd use;
-allow system_server zygote:process sigchld;
-allow system_server zygote_tmpfs:file read;
-
-# May kill zygote on crashes.
-allow system_server zygote:process sigkill;
-
-# Read /system/bin/app_process.
-allow system_server zygote_exec:file r_file_perms;
-
-# Needed to close the zygote socket, which involves getopt / getattr
-allow system_server zygote:unix_stream_socket { getopt getattr };
-
-# system server gets network and bluetooth permissions.
-net_domain(system_server)
-bluetooth_domain(system_server)
-
-# These are the capabilities assigned by the zygote to the
-# system server.
-allow system_server self:capability {
-    kill
-    net_admin
-    net_bind_service
-    net_broadcast
-    net_raw
-    sys_boot
-    sys_nice
-    sys_resource
-    sys_time
-    sys_tty_config
-};
-
-wakelock_use(system_server)
-
-# Triggered by /proc/pid accesses, not allowed.
-dontaudit system_server self:capability sys_ptrace;
-
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
-# Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
-
-# Use generic netlink sockets.
-allow system_server self:netlink_socket create_socket_perms;
-allow system_server self:netlink_generic_socket create_socket_perms;
-
-# Use generic "sockets" where the address family is not known
-# to the kernel.
-allow system_server self:socket create_socket_perms;
-
-# Set and get routes directly via netlink.
-allow system_server self:netlink_route_socket nlmsg_write;
-
-# Kill apps.
-allow system_server appdomain:process { sigkill signal };
-
-# Set scheduling info for apps.
-allow system_server appdomain:process { getsched setsched };
-allow system_server mediaserver:process { getsched setsched };
-
-# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
-# within system_server to keep track of memory and CPU usage for
-# all processes on the device.
-r_dir_file(system_server, domain)
-
-# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
-allow system_server qtaguid_proc:file rw_file_perms;
-allow system_server qtaguid_device:chr_file rw_file_perms;
-
-# Read /proc/uid_cputime/show_uid_stat.
-allow system_server proc_uid_cputime_showstat:file r_file_perms;
-
-# Write /proc/uid_cputime/remove_uid_range.
-allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
-
-# Write to /proc/sysrq-trigger.
-allow system_server proc_sysrq:file rw_file_perms;
-
-# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs:file r_file_perms;
-
-# The DhcpClient and WifiWatchdog use packet_sockets
-allow system_server self:packet_socket create_socket_perms;
-
-# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
-# as raw sockets, but the kernel doesn't yet distinguish between the two.
-allow system_server node:rawip_socket node_bind;
-
-# 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create_socket_perms;
-
-# Notify init of death.
-allow system_server init:process sigchld;
-
-# Talk to init and various daemons via sockets.
-unix_socket_connect(system_server, installd, installd)
-unix_socket_connect(system_server, lmkd, lmkd)
-unix_socket_connect(system_server, mtpd, mtp)
-unix_socket_connect(system_server, netd, netd)
-unix_socket_connect(system_server, vold, vold)
-unix_socket_connect(system_server, zygote, zygote)
-unix_socket_connect(system_server, gps, gpsd)
-unix_socket_connect(system_server, racoon, racoon)
-unix_socket_send(system_server, wpa, wpa)
-
-# Communicate over a socket created by surfaceflinger.
-allow system_server surfaceflinger:unix_stream_socket { read write setopt };
-
-# Perform Binder IPC.
-binder_use(system_server)
-binder_call(system_server, binderservicedomain)
-binder_call(system_server, gatekeeperd)
-binder_call(system_server, fingerprintd)
-binder_call(system_server, appdomain)
-binder_call(system_server, dumpstate)
-binder_service(system_server)
-
-# Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
-
-# Read /proc/pid files for dumping stack traces of native processes.
-r_dir_file(system_server, mediaserver)
-r_dir_file(system_server, sdcardd)
-r_dir_file(system_server, surfaceflinger)
-r_dir_file(system_server, inputflinger)
-
-# Use sockets received over binder from various services.
-allow system_server mediaserver:tcp_socket rw_socket_perms;
-allow system_server mediaserver:udp_socket rw_socket_perms;
-
-# Check SELinux permissions.
-selinux_check_access(system_server)
-
-# XXX Label sysfs files with a specific type?
-allow system_server sysfs:file rw_file_perms;
-allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_devices_system_cpu:file w_file_perms;
-allow system_server sysfs_mac_address:file r_file_perms;
-allow system_server sysfs_thermal:dir search;
-allow system_server sysfs_thermal:file r_file_perms;
-
-# Access devices.
-allow system_server device:dir r_dir_perms;
-allow system_server mdns_socket:sock_file rw_file_perms;
-allow system_server alarm_device:chr_file rw_file_perms;
-allow system_server gpu_device:chr_file rw_file_perms;
-allow system_server iio_device:chr_file rw_file_perms;
-allow system_server input_device:dir r_dir_perms;
-allow system_server input_device:chr_file rw_file_perms;
-allow system_server radio_device:chr_file r_file_perms;
-allow system_server tty_device:chr_file rw_file_perms;
-allow system_server usbaccessory_device:chr_file rw_file_perms;
-allow system_server video_device:dir r_dir_perms;
-allow system_server video_device:chr_file rw_file_perms;
-allow system_server adbd_socket:sock_file rw_file_perms;
-allow system_server rtc_device:chr_file rw_file_perms;
-allow system_server audio_device:dir r_dir_perms;
-
-# write access needed for MIDI
-allow system_server audio_device:chr_file rw_file_perms;
-
-# tun device used for 3rd party vpn apps
-allow system_server tun_device:chr_file rw_file_perms;
-
-# Manage system data files.
-allow system_server system_data_file:dir create_dir_perms;
-allow system_server system_data_file:notdevfile_class_set create_file_perms;
-allow system_server keychain_data_file:dir create_dir_perms;
-allow system_server keychain_data_file:file create_file_perms;
-
-# Manage /data/app.
-allow system_server apk_data_file:dir create_dir_perms;
-allow system_server apk_data_file:file { create_file_perms link };
-allow system_server apk_tmp_file:dir create_dir_perms;
-allow system_server apk_tmp_file:file create_file_perms;
-
-# Manage /data/app-private.
-allow system_server apk_private_data_file:dir create_dir_perms;
-allow system_server apk_private_data_file:file create_file_perms;
-allow system_server apk_private_tmp_file:dir create_dir_perms;
-allow system_server apk_private_tmp_file:file create_file_perms;
-
-# Manage files within asec containers.
-allow system_server asec_apk_file:dir create_dir_perms;
-allow system_server asec_apk_file:file create_file_perms;
-allow system_server asec_public_file:file create_file_perms;
-
-# Manage /data/anr.
-allow system_server anr_data_file:dir create_dir_perms;
-allow system_server anr_data_file:file create_file_perms;
-
-# Manage /data/backup.
-allow system_server backup_data_file:dir create_dir_perms;
-allow system_server backup_data_file:file create_file_perms;
-
-# Write to /data/system/heapdump
-allow system_server heapdump_data_file:dir rw_dir_perms;
-allow system_server heapdump_data_file:file create_file_perms;
-
-# Manage /data/misc/adb.
-allow system_server adb_keys_file:dir create_dir_perms;
-allow system_server adb_keys_file:file create_file_perms;
-
-# Manage /data/misc/sms.
-# TODO:  Split into a separate type?
-allow system_server radio_data_file:dir create_dir_perms;
-allow system_server radio_data_file:file create_file_perms;
-
-# Manage /data/misc/systemkeys.
-allow system_server systemkeys_data_file:dir create_dir_perms;
-allow system_server systemkeys_data_file:file create_file_perms;
-
-# Access /data/tombstones.
-allow system_server tombstone_data_file:dir r_dir_perms;
-allow system_server tombstone_data_file:file r_file_perms;
-
-# Manage /data/misc/vpn.
-allow system_server vpn_data_file:dir create_dir_perms;
-allow system_server vpn_data_file:file create_file_perms;
-
-# Manage /data/misc/wifi.
-allow system_server wifi_data_file:dir create_dir_perms;
-allow system_server wifi_data_file:file create_file_perms;
-
-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
-# Walk /data/data subdirectories.
-# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
-# Also permit for unlabeled /data/data subdirectories and
-# for unlabeled asec containers on upgrades from 4.2.
-allow system_server unlabeled:dir r_dir_perms;
-# Read pkg.apk file before it has been relabeled by vold.
-allow system_server unlabeled:file r_file_perms;
-
-# Populate com.android.providers.settings/databases/settings.db.
-allow system_server system_app_data_file:dir create_dir_perms;
-allow system_server system_app_data_file:file create_file_perms;
-
-# Receive and use open app data files passed over binder IPC.
-# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };
-
-# Receive and use open /data/media files passed over binder IPC.
-allow system_server media_rw_data_file:file { getattr read write };
-
-# Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
-
-# Relabel wallpaper.
-allow system_server system_data_file:file relabelfrom;
-allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file { rw_file_perms unlink };
-
-# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
-allow system_server system_data_file:dir relabelfrom;
-
-# Property Service write
-set_prop(system_server, system_prop)
-set_prop(system_server, safemode_prop)
-set_prop(system_server, dhcp_prop)
-set_prop(system_server, net_radio_prop)
-set_prop(system_server, system_radio_prop)
-set_prop(system_server, debug_prop)
-set_prop(system_server, powerctl_prop)
-set_prop(system_server, fingerprint_prop)
-set_prop(system_server, device_logging_prop)
-
-# ctl interface
-set_prop(system_server, ctl_default_prop)
-set_prop(system_server, ctl_dhcp_pan_prop)
-set_prop(system_server, ctl_bugreport_prop)
-
-# Create a socket for receiving info from wpa.
-type_transition system_server wifi_data_file:sock_file system_wpa_socket;
-type_transition system_server wpa_socket:sock_file system_wpa_socket;
-allow system_server wpa_socket:dir rw_dir_perms;
-allow system_server system_wpa_socket:sock_file create_file_perms;
-
-# Remove sockets created by wpa_supplicant
-allow system_server wpa_socket:sock_file unlink;
-
-# Create a socket for connections from debuggerd.
-type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
-allow system_server system_ndebug_socket:sock_file create_file_perms;
-
-# Manage cache files.
-allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
-allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
-allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
-
-# Run system programs, e.g. dexopt.
-allow system_server system_file:file x_file_perms;
-
-# LocationManager(e.g, GPS) needs to read and write
-# to uart driver and ctrl proc entry
-allow system_server gps_device:chr_file rw_file_perms;
-allow system_server gps_control:file rw_file_perms;
-
-# Allow system_server to use app-created sockets and pipes.
-allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
-
-# Allow abstract socket connection
-allow system_server rild:unix_stream_socket connectto;
-
-# BackupManagerService lets PMS create a data backup file
-allow system_server cache_backup_file:file create_file_perms;
-# Relabel /data/backup
-allow system_server backup_data_file:dir { relabelto relabelfrom };
-# Relabel /cache/.*\.{data|restore}
-allow system_server cache_backup_file:file { relabelto relabelfrom };
-# LocalTransport creates and relabels /cache/backup
-allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
-
-# Allow system to talk to usb device
-allow system_server usb_device:chr_file rw_file_perms;
-allow system_server usb_device:dir r_dir_perms;
-
-# Allow system to talk to sensors
-allow system_server sensors_device:chr_file rw_file_perms;
-
-# Read from HW RNG (needed by EntropyMixer).
-allow system_server hw_random_device:chr_file r_file_perms;
-
-# Read and delete files under /dev/fscklogs.
-r_dir_file(system_server, fscklogs)
-allow system_server fscklogs:dir { write remove_name };
-allow system_server fscklogs:file unlink;
-
-# logd access, system_server inherit logd write socket
-# (urge is to deprecate this long term)
-allow system_server zygote:unix_dgram_socket write;
-
-# Read from log daemon.
-read_logd(system_server)
-
-# Be consistent with DAC permissions. Allow system_server to write to
-# /sys/module/lowmemorykiller/parameters/adj
-# /sys/module/lowmemorykiller/parameters/minfree
-allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow system_server pstorefs:dir r_dir_perms;
-allow system_server pstorefs:file r_file_perms;
-
-# /sys access
-allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file r_file_perms;
-
-allow system_server drmserver_service:service_manager find;
-allow system_server batteryproperties_service:service_manager find;
-allow system_server keystore_service:service_manager find;
-allow system_server gatekeeper_service:service_manager find;
-allow system_server fingerprintd_service:service_manager find;
-allow system_server mediaserver_service:service_manager find;
-allow system_server nfc_service:service_manager find;
-allow system_server radio_service:service_manager find;
-allow system_server system_server_service:service_manager { add find };
-allow system_server surfaceflinger_service:service_manager find;
-
-allow system_server keystore:keystore_key {
-	get_state
-	get
-	insert
-	delete
-	exist
-	list
-	reset
-	password
-	lock
-	unlock
-	is_empty
-	sign
-	verify
-	grant
-	duplicate
-	clear_uid
-	add_auth
-	user_changed
-};
-
-# Allow system server to search and write to the persistent factory reset
-# protection partition. This block device does not get wiped in a factory reset.
-allow system_server block_device:dir search;
-allow system_server frp_block_device:blk_file rw_file_perms;
-
-# Clean up old cgroups
-allow system_server cgroup:dir { remove_name rmdir };
-
-# /oem access
-r_dir_file(system_server, oemfs)
-
-# Allow resolving per-user storage symlinks
-allow system_server { mnt_user_file storage_file }:dir { getattr search };
-allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
-
-# Allow statfs() on storage devices, which happens fast enough that
-# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
-
-# Traverse into expanded storage
-allow system_server mnt_expand_file:dir r_dir_perms;
-
-# Allow system process to relabel the fingerprint directory after mkdir
-# and delete the directory and files when no longer needed
-allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
-allow system_server fingerprintd_data_file:file { getattr unlink };
-
-userdebug_or_eng(`
-  # Allow system server to create and write method traces in /data/misc/trace.
-  allow system_server method_trace_data_file:dir w_dir_perms;
-  allow system_server method_trace_data_file:file { create w_file_perms };
-')
-
-# For AppFuse.
-allow system_server vold:fd use;
-allow system_server fuse_device:chr_file { read write ioctl getattr };
-
-# Connect to adbd and use a socket transferred from it.
-# Used for e.g. jdwp.
-allow system_server adbd:unix_stream_socket connectto;
-allow system_server adbd:fd use;
-allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-###
-### Neverallow rules
-###
-### system_server should NEVER do any of this
-
-# Do not allow opening files from external storage as unsafe ejection
-# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
-
-# system server should never be operating on zygote spawned app data
-# files directly. Rather, they should always be passed via a
-# file descriptor.
-# Types extracted from seapp_contexts type= fields, excluding
-# those types that system_server needs to open directly.
-neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
-
-# system_server should never be executing dex2oat. This is either
-# a bug (for example, bug 16317188), or represents an attempt by
-# system server to dynamically load a dex file, something we do not
-# want to allow.
-neverallow system_server dex2oat_exec:file no_x_file_perms;
-
-# system_server should never execute anything from /data except for /data/dalvik-cache files.
-neverallow system_server {
-  data_file_type
-  -dalvikcache_data_file #mapping with PROT_EXEC
-}:file no_x_file_perms;
-
-# The only block device system_server should be accessing is
-# the frp_block_device. This helps avoid a system_server to root
-# escalation by writing to raw block devices.
-neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
-
-# system_server should never use JIT functionality
-neverallow system_server self:process execmem;
-neverallow system_server ashmem_device:chr_file execute;
-neverallow system_server system_server_tmpfs:file execute;
diff --git a/te_macros b/te_macros
deleted file mode 100644
index 84af301..0000000
--- a/te_macros
+++ /dev/null
@@ -1,338 +0,0 @@
-#####################################
-# domain_trans(olddomain, type, newdomain)
-# Allow a transition from olddomain to newdomain
-# upon executing a file labeled with type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use domain_auto_trans
-# if that is what you want.
-#
-define(`domain_trans', `
-# Old domain may exec the file and transition to the new domain.
-allow $1 $2:file { getattr open read execute };
-allow $1 $3:process transition;
-# New domain is entered by executing the file.
-allow $3 $2:file { entrypoint open read execute getattr };
-# New domain can send SIGCHLD to its caller.
-allow $3 $1:process sigchld;
-# Enable AT_SECURE, i.e. libc secure mode.
-dontaudit $1 $3:process noatsecure;
-# XXX dontaudit candidate but requires further study.
-allow $1 $3:process { siginh rlimitinh };
-')
-
-#####################################
-# domain_auto_trans(olddomain, type, newdomain)
-# Automatically transition from olddomain to newdomain
-# upon executing a file labeled with type.
-#
-define(`domain_auto_trans', `
-# Allow the necessary permissions.
-domain_trans($1,$2,$3)
-# Make the transition occur by default.
-type_transition $1 $2:process $3;
-')
-
-#####################################
-# file_type_trans(domain, dir_type, file_type)
-# Allow domain to create a file labeled file_type in a
-# directory labeled dir_type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use file_type_auto_trans
-# if that is what you want.
-#
-define(`file_type_trans', `
-# Allow the domain to add entries to the directory.
-allow $1 $2:dir ra_dir_perms;
-# Allow the domain to create the file.
-allow $1 $3:notdevfile_class_set create_file_perms;
-allow $1 $3:dir create_dir_perms;
-')
-
-#####################################
-# file_type_auto_trans(domain, dir_type, file_type)
-# Automatically label new files with file_type when
-# they are created by domain in directories labeled dir_type.
-#
-define(`file_type_auto_trans', `
-# Allow the necessary permissions.
-file_type_trans($1, $2, $3)
-# Make the transition occur by default.
-type_transition $1 $2:dir $3;
-type_transition $1 $2:notdevfile_class_set $3;
-')
-
-#####################################
-# r_dir_file(domain, type)
-# Allow the specified domain to read directories, files
-# and symbolic links of the specified type.
-define(`r_dir_file', `
-allow $1 $2:dir r_dir_perms;
-allow $1 $2:{ file lnk_file } r_file_perms;
-')
-
-#####################################
-# tmpfs_domain(domain)
-# Define and allow access to a unique type for
-# this domain when creating tmpfs / shmem / ashmem files.
-define(`tmpfs_domain', `
-type $1_tmpfs, file_type;
-type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write };
-')
-
-#####################################
-# init_daemon_domain(domain)
-# Set up a transition from init to the daemon domain
-# upon executing its binary.
-define(`init_daemon_domain', `
-domain_auto_trans(init, $1_exec, $1)
-tmpfs_domain($1)
-')
-
-#####################################
-# app_domain(domain)
-# Allow a base set of permissions required for all apps.
-define(`app_domain', `
-typeattribute $1 appdomain;
-# Label ashmem objects with our own unique type.
-tmpfs_domain($1)
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file execute;
-')
-
-#####################################
-# net_domain(domain)
-# Allow a base set of permissions required for network access.
-define(`net_domain', `
-typeattribute $1 netdomain;
-')
-
-#####################################
-# bluetooth_domain(domain)
-# Allow a base set of permissions required for bluetooth access.
-define(`bluetooth_domain', `
-typeattribute $1 bluetoothdomain;
-')
-
-#####################################
-# unix_socket_connect(clientdomain, socket, serverdomain)
-# Allow a local socket connection from clientdomain via
-# socket to serverdomain.
-#
-# Note: If you see denial records that distill to the
-# following allow rules:
-# allow clientdomain property_socket:sock_file write;
-# allow clientdomain init:unix_stream_socket connectto;
-# allow clientdomain something_prop:property_service set;
-#
-# This sequence is indicative of attempting to set a property.
-# use set_prop(sourcedomain, targetproperty)
-#
-define(`unix_socket_connect', `
-ifelse($2, `property', `
-    ifelse($3,`init', `
-       print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
-   ')
-')
-__unix_socket_connect__($1, $2, $3)
-')
-
-define(`__unix_socket_connect__', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_stream_socket connectto;
-')
-
-#####################################
-# set_prop(sourcedomain, targetproperty)
-# Allows source domain to set the
-# targetproperty.
-#
-define(`set_prop', `
-__unix_socket_connect__($1, property, init)
-allow $1 $2:property_service set;
-get_prop($1, $2)
-')
-
-#####################################
-# get_prop(sourcedomain, targetproperty)
-# Allows source domain to read the
-# targetproperty.
-#
-define(`get_prop', `
-allow $1 $2:file r_file_perms;
-')
-
-#####################################
-# unix_socket_send(clientdomain, socket, serverdomain)
-# Allow a local socket send from clientdomain via
-# socket to serverdomain.
-define(`unix_socket_send', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_dgram_socket sendto;
-')
-
-#####################################
-# binder_use(domain)
-# Allow domain to use Binder IPC.
-define(`binder_use', `
-# Call the servicemanager and transfer references to it.
-allow $1 servicemanager:binder { call transfer };
-# servicemanager performs getpidcon on clients.
-allow servicemanager $1:dir search;
-allow servicemanager $1:file { read open };
-allow servicemanager $1:process getattr;
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-# all domains in domain.te.
-')
-
-#####################################
-# binder_call(clientdomain, serverdomain)
-# Allow clientdomain to perform binder IPC to serverdomain.
-define(`binder_call', `
-# Call the server domain and optionally transfer references to it.
-allow $1 $2:binder { call transfer };
-# Allow the serverdomain to transfer references to the client on the reply.
-allow $2 $1:binder transfer;
-# Receive and use open files from the server.
-allow $1 $2:fd use;
-')
-
-#####################################
-# binder_service(domain)
-# Mark a domain as being a Binder service domain.
-# Used to allow binder IPC to the various system services.
-define(`binder_service', `
-typeattribute $1 binderservicedomain;
-')
-
-#####################################
-# wakelock_use(domain)
-# Allow domain to manage wake locks
-define(`wakelock_use', `
-# Access /sys/power/wake_lock and /sys/power/wake_unlock
-allow $1 sysfs_wake_lock:file rw_file_perms;
-# Accessing these files requires CAP_BLOCK_SUSPEND
-allow $1 self:capability2 block_suspend;
-')
-
-#####################################
-# selinux_check_access(domain)
-# Allow domain to check SELinux permissions via selinuxfs.
-define(`selinux_check_access', `
-allow $1 selinuxfs:file rw_file_perms;
-allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket *;
-')
-
-#####################################
-# selinux_check_context(domain)
-# Allow domain to check SELinux contexts via selinuxfs.
-define(`selinux_check_context', `
-allow $1 selinuxfs:file rw_file_perms;
-allow $1 kernel:security check_context;
-')
-
-#####################################
-# selinux_setenforce(domain)
-# Allow domain to set SELinux to enforcing.
-define(`selinux_setenforce', `
-allow $1 selinuxfs:file rw_file_perms;
-allow $1 kernel:security setenforce;
-')
-
-#####################################
-# selinux_setbool(domain)
-# Allow domain to set SELinux booleans.
-define(`selinux_setbool', `
-allow $1 selinuxfs:file rw_file_perms;
-allow $1 kernel:security setbool;
-')
-
-#####################################
-# create_pty(domain)
-# Allow domain to create and use a pty, isolated from any other domain ptys.
-define(`create_pty', `
-# Each domain gets a unique devpts type.
-type $1_devpts, fs_type;
-# Label the pty with the unique type when created.
-type_transition $1 devpts:chr_file $1_devpts;
-# Allow use of the pty after creation.
-allow $1 $1_devpts:chr_file { open getattr read write ioctl };
-# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
-# allowed to everyone via domain.te.
-')
-
-#####################################
-# Non system_app application set
-#
-define(`non_system_app_set', `{ appdomain -system_app }')
-
-#####################################
-# Recovery only
-# SELinux rules which apply only to recovery mode
-#
-define(`recovery_only', ifelse(target_recovery, `true', $1, ))
-
-#####################################
-# Userdebug or eng builds
-# SELinux rules which apply only to userdebug or eng builds
-#
-define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
-define(`eng', ifelse(target_build_variant, `eng', $1))
-
-#####################################
-# write_logd(domain)
-# Ability to write to android log
-# daemon via sockets
-define(`write_logd', `
-unix_socket_send($1, logdw, logd)
-allow $1 pmsg_device:chr_file w_file_perms;
-')
-
-#####################################
-# read_logd(domain)
-# Ability to run logcat and read from android
-# log daemon via sockets
-define(`read_logd', `
-allow $1 logcat_exec:file rx_file_perms;
-unix_socket_connect($1, logdr, logd)
-')
-
-#####################################
-# control_logd(domain)
-# Ability to control
-# android log daemon via sockets
-define(`control_logd', `
-# Group AID_LOG checked by filesystem & logd
-# to permit control commands
-unix_socket_connect($1, logd, logd)
-')
-
-#####################################
-# use_keystore(domain)
-# Ability to use keystore.
-# Keystore is requires the following permissions
-# to call getpidcon.
-define(`use_keystore', `
-  allow keystore $1:dir search;
-  allow keystore $1:file { read open };
-  allow keystore $1:process getattr;
-  allow $1 keystore_service:service_manager find;
-  binder_call($1, keystore)
-')
-
-###########################################
-# use_drmservice(domain)
-# Ability to use DrmService which requires
-# DrmService to call getpidcon.
-define(`use_drmservice', `
-  allow drmserver $1:dir search;
-  allow drmserver $1:file { read open };
-  allow drmserver $1:process getattr;
-')
-
-##########################################
-# print a message with a trailing newline
-# print(`args')
-define(`print', `errprint(`m4: '__file__: __line__`: $*
-')')
diff --git a/tee.te b/tee.te
deleted file mode 100644
index 8ea6b95..0000000
--- a/tee.te
+++ /dev/null
@@ -1,15 +0,0 @@
-##
-# trusted execution environment (tee) daemon
-#
-type tee, domain, domain_deprecated;
-type tee_exec, exec_type, file_type;
-type tee_device, dev_type;
-type tee_data_file, file_type, data_file_type;
-
-init_daemon_domain(tee)
-allow tee self:capability { dac_override };
-allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir rw_dir_perms;
-allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket create_socket_perms;
-allow tee self:netlink_generic_socket create_socket_perms;
diff --git a/toolbox.te b/toolbox.te
deleted file mode 100644
index 55de7eb..0000000
--- a/toolbox.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# Any toolbox command run by init.
-# At present, the only known usage is for running mkswap via fs_mgr.
-# Do NOT use this domain for toolbox when run by any other domain.
-type toolbox, domain, domain_deprecated;
-type toolbox_exec, exec_type, file_type;
-
-init_daemon_domain(toolbox)
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow toolbox tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow toolbox devpts:chr_file { read write getattr ioctl };
-
-# mkswap-specific.
-# Read/write block devices used for swap partitions.
-# Assign swap_block_device type any such partition in your
-# device/<vendor>/<product>/sepolicy/file_contexts file.
-allow toolbox block_device:dir search;
-allow toolbox swap_block_device:blk_file rw_file_perms;
-
-# Only allow entry from init via the toolbox binary.
-neverallow { domain -init } toolbox:process transition;
-neverallow * toolbox:process dyntransition;
-neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
diff --git a/tools/Android.mk b/tools/Android.mk
deleted file mode 100644
index 98f562c..0000000
--- a/tools/Android.mk
+++ /dev/null
@@ -1,55 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := checkseapp
-LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := \
-		external/pcre \
-		external/selinux/libsepol/include
-LOCAL_CFLAGS := -DLINK_SEPOL_STATIC -Wall -Werror
-LOCAL_SRC_FILES := check_seapp.c
-LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_WHOLE_STATIC_LIBRARIES := libpcre
-LOCAL_CXX_STL := none
-
-include $(BUILD_HOST_EXECUTABLE)
-
-###################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := checkfc
-LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/selinux/libsepol/include \
-                    external/libselinux/include
-LOCAL_CFLAGS := -Wall -Werror
-LOCAL_SRC_FILES := checkfc.c
-LOCAL_STATIC_LIBRARIES := libsepol libselinux
-LOCAL_CXX_STL := none
-
-include $(BUILD_HOST_EXECUTABLE)
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := insertkeys.py
-LOCAL_SRC_FILES := insertkeys.py
-LOCAL_MODULE_CLASS := EXECUTABLES
-LOCAL_IS_HOST_MODULE := true
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_PREBUILT)
-###################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy-check
-LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/selinux/libsepol/include
-LOCAL_CFLAGS := -Wall -Werror
-LOCAL_SRC_FILES := sepolicy-check.c
-LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_CXX_STL := none
-
-include $(BUILD_HOST_EXECUTABLE)
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tools/README b/tools/README
deleted file mode 100644
index 6035c03..0000000
--- a/tools/README
+++ /dev/null
@@ -1,63 +0,0 @@
-This directory contains a number of tools related to policy, some of
-which are used in building and validating the policy and others are
-available for help in auditing and analyzing policy.  The tools are
-described further below.
-
-checkfc
-   A utility for checking the validity of a file_contexts or a
-   property_contexts configuration file.  Used as part of the policy
-   build to validate both files.  Requires the sepolicy file as an
-   argument in order to check the validity of the security contexts
-   in the file_contexts or property_contexts file.
-
-   Usage1:
-   checkfc sepolicy file_contexts
-   checkfc -p sepolicy property_contexts
-
-   Also used to compare two file_contexts or file_contexts.bin files.
-   Displays one of subset, equal, superset, or incomparable.
-
-   Usage2:
-   checkfc -c file_contexts1 file_contexts2
-
-   Example:
-   $ checkfc -c out/target/product/shamu/system/etc/general_file_contexts out/target/product/shamu/root/file_contexts.bin
-   subset
-
-checkseapp
-    A utility for merging together the main seapp_contexts
-    configuration and the device-specific one, and simultaneously
-    checking the validity of the configurations. Used as part of the
-    policy build process to merge and validate the configuration.
-
-    Usage:
-    checkseapp -p sepolicy input_seapp_contexts0 [input_seapp_contexts1...] -o seapp_contexts
-
-insertkeys.py
-    A helper script for mapping tags in the signature stanzas of
-    mac_permissions.xml to public keys found in pem files.  This
-    script is described further in the top-level sepolicy/README.
-
-post_process_mac_perms
-    A tool to help modify an existing mac_permissions.xml with additional app
-    certs not already found in that policy. This becomes useful when a directory
-    containing apps is searched and the certs from those apps are added to the
-    policy not already explicitly listed.
-
-    Usage:
-    post_process_mac_perms [-h] -s SEINFO -d DIR -f POLICY
-
-      -s SEINFO, --seinfo SEINFO  seinfo tag for each generated stanza
-      -d DIR, --dir DIR           Directory to search for apks
-      -f POLICY, --file POLICY    mac_permissions.xml policy file
-
-sepolicy-check
-    A tool for auditing a sepolicy file for any allow rule that grants
-    a given permission.
-
-    Usage:
-    sepolicy-check -s <domain> -t <type> -c <class> -p <permission> -P out/target/product/<board>/root/sepolicy
-
-sepolicy-analyze
-    A tool for performing various kinds of analysis on a sepolicy
-    file.
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
deleted file mode 100644
index 69db388..0000000
--- a/tools/check_seapp.c
+++ /dev/null
@@ -1,1239 +0,0 @@
-#include <stdio.h>
-#include <stdarg.h>
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <errno.h>
-#include <stdint.h>
-#include <search.h>
-#include <stdbool.h>
-#include <sepol/sepol.h>
-#include <sepol/policydb/policydb.h>
-#include <pcre.h>
-
-#define TABLE_SIZE 1024
-#define KVP_NUM_OF_RULES (sizeof(rules) / sizeof(key_map))
-#define log_set_verbose() do { logging_verbose = 1; log_info("Enabling verbose\n"); } while(0)
-#define log_error(fmt, ...) log_msg(stderr, "Error: ", fmt, ##__VA_ARGS__)
-#define log_warn(fmt, ...) log_msg(stderr, "Warning: ", fmt, ##__VA_ARGS__)
-#define log_info(fmt, ...) if (logging_verbose ) { log_msg(stdout, "Info: ", fmt, ##__VA_ARGS__); }
-
-/**
- * Initializes an empty, static list.
- */
-#define list_init(free_fn) { .head = NULL, .tail = NULL, .freefn = free_fn }
-
-/**
- * given an item in the list, finds the offset for the container
- * it was stored in.
- *
- * @element The element from the list
- * @type The container type ie what you allocated that has the list_element structure in it.
- * @name The name of the field that is the list_element
- *
- */
-#define list_entry(element, type, name) \
-		(type *)(((uint8_t *)element) - (uint8_t *)&(((type *)NULL)->name))
-
-/**
- * Iterates over the list, do not free elements from the list when using this.
- * @list The list head to walk
- * @var The variable name for the cursor
- */
-#define list_for_each(list, var) \
-	for(var = (list)->head; var != NULL; var = var->next)
-
-
-typedef struct hash_entry hash_entry;
-typedef enum key_dir key_dir;
-typedef enum data_type data_type;
-typedef enum rule_map_switch rule_map_switch;
-typedef enum map_match map_match;
-typedef struct key_map key_map;
-typedef struct kvp kvp;
-typedef struct rule_map rule_map;
-typedef struct policy_info policy_info;
-typedef struct list_element list_element;
-typedef struct list list;
-typedef struct key_map_regex key_map_regex;
-typedef struct file_info file_info;
-
-enum map_match {
-	map_no_matches,
-	map_input_matched,
-	map_matched
-};
-
-const char *map_match_str[] = {
-	"do not match",
-	"match on all inputs",
-	"match on everything"
-};
-
-/**
- * Whether or not the "key" from a key vaue pair is considered an
- * input or an output.
- */
-enum key_dir {
-	dir_in, dir_out
-};
-
-struct list_element {
-	list_element *next;
-};
-
-struct list {
-	list_element *head;
-	list_element *tail;
-	void (*freefn)(list_element *e);
-};
-
-struct key_map_regex {
-	pcre *compiled;
-	pcre_extra *extra;
-};
-
-/**
- * The workhorse of the logic. This struct maps key value pairs to
- * an associated set of meta data maintained in rule_map_new()
- */
-struct key_map {
-	char *name;
-	key_dir dir;
-	char *data;
-	key_map_regex regex;
-	bool (*fn_validate)(char *value, char **errmsg);
-};
-
-/**
- * Key value pair struct, this represents the raw kvp values coming
- * from the rules files.
- */
-struct kvp {
-	char *key;
-	char *value;
-};
-
-/**
- * Rules are made up of meta data and an associated set of kvp stored in a
- * key_map array.
- */
-struct rule_map {
-	bool is_never_allow;
-	list violations;
-	list_element listify;
-	char *key; /** key value before hashing */
-	size_t length; /** length of the key map */
-	int lineno; /** Line number rule was encounter on */
-	char *filename; /** File it was found in */
-	key_map m[]; /** key value mapping */
-};
-
-struct hash_entry {
-	list_element listify;
-	rule_map *r; /** The rule map to store at that location */
-};
-
-/**
- * Data associated for a policy file
- */
-struct policy_info {
-
-	char *policy_file_name; /** policy file path name */
-	FILE *policy_file;      /** file handle to the policy file */
-	sepol_policydb_t *db;
-	sepol_policy_file_t *pf;
-	sepol_handle_t *handle;
-	sepol_context_t *con;
-};
-
-struct file_info {
-	FILE *file; /** file itself */
-	const char *name; /** name of file. do not free, these are not alloc'd */
-	list_element listify;
-};
-
-static void input_file_list_freefn(list_element *e);
-static void line_order_list_freefn(list_element *e);
-static void rule_map_free(rule_map *rm, bool is_in_htable);
-
-/** Set to !0 to enable verbose logging */
-static int logging_verbose = 0;
-
-/** file handle to the output file */
-static file_info out_file;
-
-static list input_file_list = list_init(input_file_list_freefn);
-
-static policy_info pol = {
-	.policy_file_name = NULL,
-	.policy_file = NULL,
-	.db = NULL,
-	.pf = NULL,
-	.handle = NULL,
-	.con = NULL
-};
-
-/**
- * Head pointer to a linked list of
- * rule map table entries (hash_entry), used for
- * preserving the order of entries
- * based on "first encounter"
- */
-static list line_order_list = list_init(line_order_list_freefn);
-
-/*
- * List of hash_entrys for never allow rules.
- */
-static list nallow_list = list_init(line_order_list_freefn);
-
-/* validation call backs */
-static bool validate_bool(char *value, char **errmsg);
-static bool validate_levelFrom(char *value, char **errmsg);
-static bool validate_selinux_type(char *value, char **errmsg);
-static bool validate_selinux_level(char *value, char **errmsg);
-
-/**
- * The heart of the mapping process, this must be updated if a new key value pair is added
- * to a rule.
- */
-key_map rules[] = {
-                /*Inputs*/
-                { .name = "isSystemServer", .dir = dir_in, .fn_validate = validate_bool },
-                { .name = "isOwner",        .dir = dir_in, .fn_validate = validate_bool },
-                { .name = "user",           .dir = dir_in,                              },
-                { .name = "seinfo",         .dir = dir_in,                              },
-                { .name = "name",           .dir = dir_in,                              },
-                { .name = "path",           .dir = dir_in,                              },
-                { .name = "isPrivApp",      .dir = dir_in, .fn_validate = validate_bool },
-                /*Outputs*/
-                { .name = "domain",         .dir = dir_out, .fn_validate = validate_selinux_type  },
-                { .name = "type",           .dir = dir_out, .fn_validate = validate_selinux_type  },
-                { .name = "levelFromUid",   .dir = dir_out, .fn_validate = validate_bool          },
-                { .name = "levelFrom",      .dir = dir_out, .fn_validate = validate_levelFrom     },
-                { .name = "level",          .dir = dir_out, .fn_validate = validate_selinux_level },
-};
-
-/**
- * Appends to the end of the list.
- * @list The list to append to
- * @e the element to append
- */
-void list_append(list *list, list_element *e) {
-
-	memset(e, 0, sizeof(*e));
-
-	if (list->head == NULL ) {
-		list->head = list->tail = e;
-		return;
-	}
-
-	list->tail->next = e;
-	list->tail = e;
-	return;
-}
-
-/**
- * Free's all the elements in the specified list.
- * @list The list to free
- */
-static void list_free(list *list) {
-
-	list_element *tmp;
-	list_element *cursor = list->head;
-
-	while (cursor) {
-		tmp = cursor;
-		cursor = cursor->next;
-		if (list->freefn) {
-			list->freefn(tmp);
-		}
-	}
-}
-
-/*
- * called when the lists are freed
- */
-static void line_order_list_freefn(list_element *e) {
-	hash_entry *h = list_entry(e, typeof(*h), listify);
-	rule_map_free(h->r, true);
-	free(h);
-}
-
-static void input_file_list_freefn(list_element *e) {
-	file_info *f = list_entry(e, typeof(*f), listify);
-
-	if (f->file) {
-		fclose(f->file);
-	}
-	free(f);
-}
-
-/**
- * Send a logging message to a file
- * @param out
- * 	Output file to send message too
- * @param prefix
- * 	A special prefix to write to the file, such as "Error:"
- * @param fmt
- * 	The printf style formatter to use, such as "%d"
- */
-static void __attribute__ ((format(printf, 3, 4)))
-log_msg(FILE *out, const char *prefix, const char *fmt, ...) {
-
-	fprintf(out, "%s", prefix);
-	va_list args;
-	va_start(args, fmt);
-	vfprintf(out, fmt, args);
-	va_end(args);
-}
-
-/**
- * Checks for a type in the policy.
- * @param db
- * 	The policy db to search
- * @param type
- * 	The type to search for
- * @return
- * 	1 if the type is found, 0 otherwise.
- * @warning
- * 	This function always returns 1 if libsepol is not linked
- * 	statically to this executable and LINK_SEPOL_STATIC is not
- * 	defined.
- */
-static int check_type(sepol_policydb_t *db, char *type) {
-
-	int rc = 1;
-#if defined(LINK_SEPOL_STATIC)
-	policydb_t *d = (policydb_t *)db;
-	hashtab_datum_t dat;
-	dat = hashtab_search(d->p_types.table, type);
-	rc = (dat == NULL) ? 0 : 1;
-#endif
-	return rc;
-}
-
-static bool match_regex(key_map *assert, const key_map *check) {
-
-	char *tomatch = check->data;
-
-	int ret = pcre_exec(assert->regex.compiled, assert->regex.extra, tomatch,
-			strlen(tomatch), 0, 0, NULL, 0);
-
-	/* 0 from pcre_exec means matched */
-	return !ret;
-}
-
-static bool compile_regex(key_map *km, const char **errbuf, int *erroff) {
-
-	size_t size;
-	char *anchored;
-
-	/*
-	 * Explicitly anchor all regex's
-	 * The size is the length of the string to anchor (km->data), the anchor
-	 * characters ^ and $ and the null byte. Hence strlen(km->data) + 3
-	 */
-	size = strlen(km->data) + 3;
-	anchored = alloca(size);
-	sprintf(anchored, "^%s$", km->data);
-
-	km->regex.compiled = pcre_compile(anchored, PCRE_DOTALL, errbuf, erroff,
-			NULL );
-	if (!km->regex.compiled) {
-		return false;
-	}
-
-	km->regex.extra = pcre_study(km->regex.compiled, 0, errbuf);
-	return true;
-}
-
-static bool validate_bool(char *value, char **errmsg) {
-
-	if (!strcmp("true", value) || !strcmp("false", value)) {
-		return true;
-	}
-
-	*errmsg = "Expecting \"true\" or \"false\"";
-	return false;
-}
-
-static bool validate_levelFrom(char *value, char **errmsg) {
-
-	if(strcasecmp(value, "none") && strcasecmp(value, "all") &&
-		strcasecmp(value, "app") && strcasecmp(value, "user")) {
-		*errmsg = "Expecting one of: \"none\", \"all\", \"app\" or \"user\"";
-		return false;
-	}
-	return true;
-}
-
-static bool validate_selinux_type(char *value, char **errmsg) {
-
-	/*
-	 * No policy file present means we cannot check
-	 * SE Linux types
-	 */
-	if (!pol.policy_file) {
-		return true;
-	}
-
-	if(!check_type(pol.db, value)) {
-		*errmsg = "Expecting a valid SELinux type";
-		return false;
-	}
-
-	return true;
-}
-
-static bool validate_selinux_level(char *value, char **errmsg) {
-
-	/*
-	 * No policy file present means we cannot check
-	 * SE Linux MLS
-	 */
-	if (!pol.policy_file) {
-		return true;
-	}
-
-	int ret = sepol_mls_check(pol.handle, pol.db, value);
-	if (ret < 0) {
-		*errmsg = "Expecting a valid SELinux MLS value";
-		return false;
-	}
-
-	return true;
-}
-
-/**
- * Validates a key_map against a set of enforcement rules, this
- * function exits the application on a type that cannot be properly
- * checked
- *
- * @param m
- * 	The key map to check
- * @param lineno
- * 	The line number in the source file for the corresponding key map
- * @return
- * 	true if valid, false if invalid
- */
-static bool key_map_validate(key_map *m, const char *filename, int lineno,
-		bool is_neverallow) {
-
-	int erroff;
-	const char *errbuf;
-	bool rc = true;
-	char *key = m->name;
-	char *value = m->data;
-	char *errmsg = NULL;
-
-	log_info("Validating %s=%s\n", key, value);
-
-	/*
-	 * Neverallows are completely skipped from sanity checking so you can match
-	 * un-unspecified inputs.
-	 */
-	if (is_neverallow) {
-		if (!m->regex.compiled) {
-			rc = compile_regex(m, &errbuf, &erroff);
-			if (!rc) {
-				log_error("Invalid regex on line %d : %s PCRE error: %s at offset %d",
-					lineno, value, errbuf, erroff);
-			}
-		}
-		goto out;
-	}
-
-	/* If the key has a validation routine, call it */
-	if (m->fn_validate) {
-		rc = m->fn_validate(value, &errmsg);
-
-		if (!rc) {
-			log_error("Could not validate key \"%s\" for value \"%s\" on line: %d in file: \"%s\": %s\n", key, value,
-			lineno, filename, errmsg);
-		}
-	}
-
-out:
-	log_info("Key map validate returning: %d\n", rc);
-	return rc;
-}
-
-/**
- * Prints a rule map back to a file
- * @param fp
- * 	The file handle to print too
- * @param r
- * 	The rule map to print
- */
-static void rule_map_print(FILE *fp, rule_map *r) {
-
-	size_t i;
-	key_map *m;
-
-	for (i = 0; i < r->length; i++) {
-		m = &(r->m[i]);
-		if (i < r->length - 1)
-			fprintf(fp, "%s=%s ", m->name, m->data);
-		else
-			fprintf(fp, "%s=%s", m->name, m->data);
-	}
-}
-
-/**
- * Compare two rule maps for equality
- * @param rmA
- * 	a rule map to check
- * @param rmB
- * 	a rule map to check
- * @return
- *  a map_match enum indicating the result
- */
-static map_match rule_map_cmp(rule_map *rmA, rule_map *rmB) {
-
-	size_t i;
-	size_t j;
-	int inputs_found = 0;
-	int num_of_matched_inputs = 0;
-	int input_mode = 0;
-	size_t matches = 0;
-	key_map *mA;
-	key_map *mB;
-
-	for (i = 0; i < rmA->length; i++) {
-		mA = &(rmA->m[i]);
-
-		for (j = 0; j < rmB->length; j++) {
-			mB = &(rmB->m[j]);
-			input_mode = 0;
-
-			if (strcmp(mA->name, mB->name))
-				continue;
-
-			if (strcmp(mA->data, mB->data))
-				continue;
-
-			if (mB->dir != mA->dir)
-				continue;
-			else if (mB->dir == dir_in) {
-				input_mode = 1;
-				inputs_found++;
-			}
-
-			if (input_mode) {
-				log_info("Matched input lines: name=%s data=%s\n", mA->name, mA->data);
-				num_of_matched_inputs++;
-			}
-
-			/* Match found, move on */
-			log_info("Matched lines: name=%s data=%s", mA->name, mA->data);
-			matches++;
-			break;
-		}
-	}
-
-	/* If they all matched*/
-	if (matches == rmA->length) {
-		log_info("Rule map cmp MATCH\n");
-		return map_matched;
-	}
-
-	/* They didn't all match but the input's did */
-	else if (num_of_matched_inputs == inputs_found) {
-		log_info("Rule map cmp INPUT MATCH\n");
-		return map_input_matched;
-	}
-
-	/* They didn't all match, and the inputs didn't match, ie it didn't
-	 * match */
-	else {
-		log_info("Rule map cmp NO MATCH\n");
-		return map_no_matches;
-	}
-}
-
-/**
- * Frees a rule map
- * @param rm
- * 	rule map to be freed.
- * @is_in_htable
- * 	True if the rule map has been added to the hash table, false
- * 	otherwise.
- */
-static void rule_map_free(rule_map *rm, bool is_in_htable) {
-
-	size_t i;
-	size_t len = rm->length;
-	for (i = 0; i < len; i++) {
-		key_map *m = &(rm->m[i]);
-		free(m->data);
-
-		if (m->regex.compiled) {
-			pcre_free(m->regex.compiled);
-		}
-
-		if (m->regex.extra) {
-			pcre_free_study(m->regex.extra);
-		}
-	}
-
-	/*
-	 * hdestroy() frees comparsion keys for non glibc
-	 * on GLIBC we always free on NON-GLIBC we free if
-	 * it is not in the htable.
-	 */
-	if (rm->key) {
-#ifdef __GLIBC__
-		/* silence unused warning */
-		(void)is_in_htable;
-		free(rm->key);
-#else
-		if (!is_in_htable) {
-			free(rm->key);
-		}
-#endif
-	}
-
-	free(rm->filename);
-	free(rm);
-}
-
-static void free_kvp(kvp *k) {
-	free(k->key);
-	free(k->value);
-}
-
-/**
- * Checks a rule_map for any variation of KVP's that shouldn't be allowed.
- * It builds an assertion failure list for each rule map.
- * Note that this function logs all errors.
- *
- * Current Checks:
- * 1. That a specified name entry should have a specified seinfo entry as well.
- * 2. That no rule violates a neverallow
- * @param rm
- *  The rule map to check for validity.
- */
-static void rule_map_validate(rule_map *rm) {
-
-	size_t i, j;
-	const key_map *rule;
-	key_map *nrule;
-	hash_entry *e;
-	rule_map *assert;
-	list_element *cursor;
-
-	list_for_each(&nallow_list, cursor) {
-		e = list_entry(cursor, typeof(*e), listify);
-		assert = e->r;
-
-		size_t cnt = 0;
-
-		for (j = 0; j < assert->length; j++) {
-			nrule = &(assert->m[j]);
-
-			// mark that nrule->name is for a null check
-			bool is_null_check = !strcmp(nrule->data, "\"\"");
-
-			for (i = 0; i < rm->length; i++) {
-				rule = &(rm->m[i]);
-
-				if (!strcmp(rule->name, nrule->name)) {
-
-					/* the name was found, (data cannot be false) then it was specified */
-					is_null_check = false;
-
-					if (match_regex(nrule, rule)) {
-						cnt++;
-					}
-				}
-			}
-
-			/*
-			 * the nrule was marked in a null check and we never found a match on nrule, thus
-			 * it matched and we update the cnt
-			 */
-			if (is_null_check) {
-				cnt++;
-			}
-		}
-		if (cnt == assert->length) {
-			list_append(&rm->violations, &assert->listify);
-		}
-	}
-}
-
-/**
- * Given a set of key value pairs, this will construct a new rule map.
- * On error this function calls exit.
- * @param keys
- * 	Keys from a rule line to map
- * @param num_of_keys
- * 	The length of the keys array
- * @param lineno
- * 	The line number the keys were extracted from
- * @return
- * 	A rule map pointer.
- */
-static rule_map *rule_map_new(kvp keys[], size_t num_of_keys, int lineno,
-		const char *filename, bool is_never_allow) {
-
-	size_t i = 0, j = 0;
-	rule_map *new_map = NULL;
-	kvp *k = NULL;
-	key_map *r = NULL, *x = NULL;
-	bool seen[KVP_NUM_OF_RULES];
-
-	for (i = 0; i < KVP_NUM_OF_RULES; i++)
-		seen[i] = false;
-
-	new_map = calloc(1, (num_of_keys * sizeof(key_map)) + sizeof(rule_map));
-	if (!new_map)
-		goto oom;
-
-	new_map->is_never_allow = is_never_allow;
-	new_map->length = num_of_keys;
-	new_map->lineno = lineno;
-	new_map->filename = strdup(filename);
-	if (!new_map->filename) {
-		goto oom;
-	}
-
-	/* For all the keys in a rule line*/
-	for (i = 0; i < num_of_keys; i++) {
-		k = &(keys[i]);
-		r = &(new_map->m[i]);
-
-		for (j = 0; j < KVP_NUM_OF_RULES; j++) {
-			x = &(rules[j]);
-
-			/* Only assign key name to map name */
-			if (strcasecmp(k->key, x->name)) {
-				if (i == KVP_NUM_OF_RULES) {
-					log_error("No match for key: %s\n", k->key);
-					goto err;
-				}
-				continue;
-			}
-
-			if (seen[j]) {
-					log_error("Duplicated key: %s\n", k->key);
-					goto err;
-			}
-			seen[j] = true;
-
-			memcpy(r, x, sizeof(key_map));
-
-			/* Assign rule map value to one from file */
-			r->data = strdup(k->value);
-			if (!r->data)
-				goto oom;
-
-			/* Enforce type check*/
-			log_info("Validating keys!\n");
-			if (!key_map_validate(r, filename, lineno, new_map->is_never_allow)) {
-				log_error("Could not validate\n");
-				goto err;
-			}
-
-			/*
-			 * Only build key off of inputs with the exception of neverallows.
-			 * Neverallows are keyed off of all key value pairs,
-			 */
-			if (r->dir == dir_in || new_map->is_never_allow) {
-				char *tmp;
-				int key_len = strlen(k->key);
-				int val_len = strlen(k->value);
-				int l = (new_map->key) ? strlen(new_map->key) : 0;
-				l = l + key_len + val_len;
-				l += 1;
-
-				tmp = realloc(new_map->key, l);
-				if (!tmp)
-					goto oom;
-
-				if (!new_map->key)
-					memset(tmp, 0, l);
-
-				new_map->key = tmp;
-
-				strncat(new_map->key, k->key, key_len);
-				strncat(new_map->key, k->value, val_len);
-			}
-			break;
-		}
-		free_kvp(k);
-	}
-
-	if (new_map->key == NULL) {
-		log_error("Strange, no keys found, input file corrupt perhaps?\n");
-		goto err;
-	}
-
-	return new_map;
-
-oom:
-	log_error("Out of memory!\n");
-err:
-	if(new_map) {
-		rule_map_free(new_map, false);
-		for (; i < num_of_keys; i++) {
-			k = &(keys[i]);
-			free_kvp(k);
-		}
-	}
-	return NULL;
-}
-
-/**
- * Print the usage of the program
- */
-static void usage() {
-	printf(
-	        "checkseapp [options] <input file>\n"
-		        "Processes an seapp_contexts file specified by argument <input file> (default stdin) "
-		        "and allows later declarations to override previous ones on a match.\n"
-		        "Options:\n"
-		        "-h - print this help message\n"
-		        "-v - enable verbose debugging informations\n"
-		        "-p policy file - specify policy file for strict checking of output selectors against the policy\n"
-		        "-o output file - specify output file or - for stdout. No argument runs in silent mode and outputs nothing\n");
-}
-
-static void init() {
-
-	bool has_out_file;
-	list_element *cursor;
-	file_info *tmp;
-
-	/* input files if the list is empty, use stdin */
-	if (!input_file_list.head) {
-		log_info("Using stdin for input\n");
-		tmp = malloc(sizeof(*tmp));
-		if (!tmp) {
-			log_error("oom");
-			exit(EXIT_FAILURE);
-		}
-		tmp->name = "stdin";
-		tmp->file = stdin;
-		list_append(&input_file_list, &(tmp->listify));
-	}
-	else {
-		list_for_each(&input_file_list, cursor) {
-			tmp = list_entry(cursor, typeof(*tmp), listify);
-
-			log_info("Opening input file: \"%s\"\n", tmp->name);
-			tmp->file = fopen(tmp->name, "r");
-			if (!tmp->file) {
-				log_error("Could not open file: %s error: %s\n", tmp->name,
-						strerror(errno));
-				exit(EXIT_FAILURE);
-			}
-		}
-	}
-
-	has_out_file = out_file.name != NULL;
-
-	/* If output file is -, then use stdout, else open the path */
-	if (has_out_file && !strcmp(out_file.name, "-")) {
-		out_file.file = stdout;
-		out_file.name = "stdout";
-	}
-	else if (has_out_file) {
-		out_file.file = fopen(out_file.name, "w+");
-	}
-
-	if (has_out_file && !out_file.file) {
-		log_error("Could not open file: \"%s\" error: \"%s\"\n", out_file.name,
-				strerror(errno));
-		exit(EXIT_FAILURE);
-	}
-
-	if (pol.policy_file_name) {
-		log_info("Opening policy file: %s\n", pol.policy_file_name);
-		pol.policy_file = fopen(pol.policy_file_name, "rb");
-		if (!pol.policy_file) {
-			log_error("Could not open file: %s error: %s\n",
-					pol.policy_file_name, strerror(errno));
-			exit(EXIT_FAILURE);
-		}
-
-		pol.handle = sepol_handle_create();
-		if (!pol.handle) {
-			log_error("Could not create sepolicy handle: %s\n",
-					strerror(errno));
-			exit(EXIT_FAILURE);
-		}
-
-		if (sepol_policy_file_create(&pol.pf) < 0) {
-			log_error("Could not create sepolicy file: %s!\n",
-					strerror(errno));
-			exit(EXIT_FAILURE);
-		}
-
-		sepol_policy_file_set_fp(pol.pf, pol.policy_file);
-		sepol_policy_file_set_handle(pol.pf, pol.handle);
-
-		if (sepol_policydb_create(&pol.db) < 0) {
-			log_error("Could not create sepolicy db: %s!\n",
-					strerror(errno));
-			exit(EXIT_FAILURE);
-		}
-
-		if (sepol_policydb_read(pol.db, pol.pf) < 0) {
-			log_error("Could not lod policy file to db: %s!\n",
-					strerror(errno));
-			exit(EXIT_FAILURE);
-		}
-	}
-
-	list_for_each(&input_file_list, cursor) {
-		tmp = list_entry(cursor, typeof(*tmp), listify);
-		log_info("Input file set to: \"%s\"\n", tmp->name);
-	}
-
-	log_info("Policy file set to: \"%s\"\n",
-			(pol.policy_file_name == NULL) ? "None" : pol.policy_file_name);
-	log_info("Output file set to: \"%s\"\n", out_file.name);
-
-#if !defined(LINK_SEPOL_STATIC)
-	log_warn("LINK_SEPOL_STATIC is not defined\n""Not checking types!");
-#endif
-
-}
-
-/**
- * Handle parsing and setting the global flags for the command line
- * options. This function calls exit on failure.
- * @param argc
- * 	argument count
- * @param argv
- * 	argument list
- */
-static void handle_options(int argc, char *argv[]) {
-
-	int c;
-	file_info *input_file;
-
-	while ((c = getopt(argc, argv, "ho:p:v")) != -1) {
-		switch (c) {
-		case 'h':
-			usage();
-			exit(EXIT_SUCCESS);
-		case 'o':
-			out_file.name = optarg;
-			break;
-		case 'p':
-			pol.policy_file_name = optarg;
-			break;
-		case 'v':
-			log_set_verbose();
-			break;
-		case '?':
-			if (optopt == 'o' || optopt == 'p')
-				log_error("Option -%c requires an argument.\n", optopt);
-			else if (isprint (optopt))
-				log_error("Unknown option `-%c'.\n", optopt);
-			else {
-				log_error(
-						"Unknown option character `\\x%x'.\n",
-						optopt);
-			}
-		default:
-			exit(EXIT_FAILURE);
-		}
-	}
-
-	for (c = optind; c < argc; c++) {
-
-		input_file = calloc(1, sizeof(*input_file));
-		if (!input_file) {
-			log_error("oom");
-			exit(EXIT_FAILURE);
-		}
-		input_file->name = argv[c];
-		list_append(&input_file_list, &input_file->listify);
-	}
-}
-
-/**
- * Adds a rule to the hash table and to the ordered list if needed.
- * @param rm
- * 	The rule map to add.
- */
-static void rule_add(rule_map *rm) {
-
-	map_match cmp;
-	ENTRY e;
-	ENTRY *f;
-	hash_entry *entry;
-	hash_entry *tmp;
-	list *list_to_addto;
-
-	e.key = rm->key;
-
-	log_info("Searching for key: %s\n", e.key);
-	/* Check to see if it has already been added*/
-	f = hsearch(e, FIND);
-
-	/*
-	 * Since your only hashing on a partial key, the inputs we need to handle
-	 * when you want to override the outputs for a given input set, as well as
-	 * checking for duplicate entries.
-	 */
-	if(f) {
-		log_info("Existing entry found!\n");
-		tmp = (hash_entry *)f->data;
-		cmp = rule_map_cmp(rm, tmp->r);
-		log_error("Duplicate line detected in file: %s\n"
-			  "Lines %d and %d %s!\n",
-			  rm->filename, tmp->r->lineno, rm->lineno,
-			  map_match_str[cmp]);
-		rule_map_free(rm, false);
-		goto err;
-	}
-	/* It wasn't found, just add the rule map to the table */
-	else {
-
-		entry = malloc(sizeof(hash_entry));
-		if (!entry)
-			goto oom;
-
-		entry->r = rm;
-		e.data = entry;
-
-		f = hsearch(e, ENTER);
-		if(f == NULL) {
-			goto oom;
-		}
-
-		/* new entries must be added to the ordered list */
-		entry->r = rm;
-		list_to_addto = rm->is_never_allow ? &nallow_list : &line_order_list;
-		list_append(list_to_addto, &entry->listify);
-	}
-
-	return;
-oom:
-	if (e.key)
-		free(e.key);
-	if (entry)
-		free(entry);
-	if (rm)
-		free(rm);
-	log_error("Out of memory in function: %s\n", __FUNCTION__);
-err:
-	exit(EXIT_FAILURE);
-}
-
-static void parse_file(file_info *in_file) {
-
-	char *p;
-	size_t len;
-	char *token;
-	char *saveptr;
-	bool is_never_allow;
-	bool found_whitespace;
-
-	size_t lineno = 0;
-	char *name = NULL;
-	char *value = NULL;
-	size_t token_cnt = 0;
-
-	char line_buf[BUFSIZ];
-	kvp keys[KVP_NUM_OF_RULES];
-
-	while (fgets(line_buf, sizeof(line_buf) - 1, in_file->file)) {
-		lineno++;
-		is_never_allow = false;
-		found_whitespace = false;
-		log_info("Got line %zu\n", lineno);
-		len = strlen(line_buf);
-		if (line_buf[len - 1] == '\n')
-			line_buf[len - 1] = '\0';
-		p = line_buf;
-
-		/* neverallow lines must start with neverallow (ie ^neverallow) */
-		if (!strncasecmp(p, "neverallow", strlen("neverallow"))) {
-			p += strlen("neverallow");
-			is_never_allow = true;
-		}
-
-		/* strip trailing whitespace skip comments */
-		while (isspace(*p)) {
-			p++;
-			found_whitespace = true;
-		}
-		if (*p == '#' || *p == '\0')
-			continue;
-
-		token = strtok_r(p, " \t", &saveptr);
-		if (!token)
-			goto err;
-
-		token_cnt = 0;
-		memset(keys, 0, sizeof(kvp) * KVP_NUM_OF_RULES);
-		while (1) {
-
-			name = token;
-			value = strchr(name, '=');
-			if (!value)
-				goto err;
-			*value++ = 0;
-
-			keys[token_cnt].key = strdup(name);
-			if (!keys[token_cnt].key)
-				goto oom;
-
-			keys[token_cnt].value = strdup(value);
-			if (!keys[token_cnt].value)
-				goto oom;
-
-			token_cnt++;
-
-			token = strtok_r(NULL, " \t", &saveptr);
-			if (!token)
-				break;
-
-		} /*End token parsing */
-
-		rule_map *r = rule_map_new(keys, token_cnt, lineno, in_file->name, is_never_allow);
-		if (!r)
-			goto err;
-		rule_add(r);
-
-	} /* End file parsing */
-	return;
-
-err:
-	log_error("Reading file: \"%s\" line: %zu name: \"%s\" value: \"%s\"\n",
-		in_file->name, lineno, name, value);
-	if(found_whitespace && name && !strcasecmp(name, "neverallow")) {
-		log_error("perhaps whitespace before neverallow\n");
-	}
-	exit(EXIT_FAILURE);
-oom:
-	log_error("In function %s:  Out of memory\n", __FUNCTION__);
-	exit(EXIT_FAILURE);
-}
-
-/**
- * Parses the seapp_contexts file and neverallow file
- * and adds them to the hash table and ordered list entries
- * when it encounters them.
- * Calls exit on failure.
- */
-static void parse() {
-
-	file_info *current;
-	list_element *cursor;
-	list_for_each(&input_file_list, cursor) {
-		current = list_entry(cursor, typeof(*current), listify);
-		parse_file(current);
-	}
-}
-
-static void validate() {
-
-	list_element *cursor, *v;
-	bool found_issues = false;
-	hash_entry *e;
-	rule_map *r;
-	list_for_each(&line_order_list, cursor) {
-		e = list_entry(cursor, typeof(*e), listify);
-		rule_map_validate(e->r);
-	}
-
-	list_for_each(&line_order_list, cursor) {
-		e = list_entry(cursor, typeof(*e), listify);
-		r = e->r;
-		list_for_each(&r->violations, v) {
-			found_issues = true;
-			log_error("Rule in File \"%s\" on line %d: \"", e->r->filename, e->r->lineno);
-			rule_map_print(stderr, e->r);
-			r = list_entry(v, rule_map, listify);
-			fprintf(stderr, "\" violates neverallow in File \"%s\" on line %d: \"", r->filename, r->lineno);
-			rule_map_print(stderr, r);
-			fprintf(stderr, "\"\n");
-		}
-	}
-
-	if (found_issues) {
-		exit(EXIT_FAILURE);
-	}
-}
-
-/**
- * Should be called after parsing to cause the printing of the rule_maps
- * stored in the ordered list, head first, which preserves the "first encountered"
- * ordering.
- */
-static void output() {
-
-	hash_entry *e;
-	list_element *cursor;
-
-	if (!out_file.file) {
-		log_info("No output file, not outputting.\n");
-		return;
-	}
-
-	list_for_each(&line_order_list, cursor) {
-		e = list_entry(cursor, hash_entry, listify);
-		rule_map_print(out_file.file, e->r);
-		fprintf(out_file.file, "\n");
-	}
-}
-
-/**
- * This function is registered to the at exit handler and should clean up
- * the programs dynamic resources, such as memory and fd's.
- */
-static void cleanup() {
-
-	/* Only close this when it was opened by me and not the crt */
-	if (out_file.name && strcmp(out_file.name, "stdout") && out_file.file) {
-		log_info("Closing file: %s\n", out_file.name);
-		fclose(out_file.file);
-	}
-
-	if (pol.policy_file) {
-
-		log_info("Closing file: %s\n", pol.policy_file_name);
-		fclose(pol.policy_file);
-
-		if (pol.db)
-			sepol_policydb_free(pol.db);
-
-		if (pol.pf)
-			sepol_policy_file_free(pol.pf);
-
-		if (pol.handle)
-			sepol_handle_destroy(pol.handle);
-	}
-
-	log_info("Freeing lists\n");
-	list_free(&input_file_list);
-	list_free(&line_order_list);
-	list_free(&nallow_list);
-	hdestroy();
-}
-
-int main(int argc, char *argv[]) {
-	if (!hcreate(TABLE_SIZE)) {
-		log_error("Could not create hash table: %s\n", strerror(errno));
-		exit(EXIT_FAILURE);
-	}
-	atexit(cleanup);
-	handle_options(argc, argv);
-	init();
-	log_info("Starting to parse\n");
-	parse();
-	log_info("Parsing completed, generating output\n");
-	validate();
-	output();
-	log_info("Success, generated output\n");
-	exit(EXIT_SUCCESS);
-}
diff --git a/tools/checkfc.c b/tools/checkfc.c
deleted file mode 100644
index e7d19b0..0000000
--- a/tools/checkfc.c
+++ /dev/null
@@ -1,379 +0,0 @@
-#include <getopt.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <sepol/module.h>
-#include <sepol/policydb/policydb.h>
-#include <sepol/sepol.h>
-#include <selinux/selinux.h>
-#include <selinux/label.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-
-static const char * const CHECK_FC_ASSERT_ATTRS[] = { "fs_type", "dev_type", "file_type", NULL };
-static const char * const CHECK_PC_ASSERT_ATTRS[] = { "property_type", NULL };
-static const char * const CHECK_SC_ASSERT_ATTRS[] = { "service_manager_type", NULL };
-
-typedef enum filemode filemode;
-enum filemode {
-    filemode_file_contexts = 0,
-    filemode_property_contexts,
-    filemode_service_contexts
-};
-
-static struct {
-    /* policy */
-    struct {
-        union {
-            /* Union these so we don't have to cast */
-            sepol_policydb_t *sdb;
-            policydb_t *pdb;
-        };
-        sepol_policy_file_t *pf;
-        sepol_handle_t *handle;
-        FILE *file;
-#define SEHANDLE_CNT 2
-        struct selabel_handle *sehnd[SEHANDLE_CNT];
-    } sepolicy;
-
-    /* assertions */
-    struct {
-        const char * const *attrs; /* for the original set to print on error */
-        ebitmap_t set;             /* the ebitmap representation of the attrs */
-    } assert;
-
-} global_state;
-
-static const char * const *filemode_to_assert_attrs(filemode mode)
-{
-    switch (mode) {
-    case filemode_file_contexts:
-        return CHECK_FC_ASSERT_ATTRS;
-    case filemode_property_contexts:
-        return CHECK_PC_ASSERT_ATTRS;
-    case filemode_service_contexts:
-        return CHECK_SC_ASSERT_ATTRS;
-    }
-    /* die on invalid parameters */
-    fprintf(stderr, "Error: Invalid mode of operation: %d\n", mode);
-    exit(1);
-}
-
-static int get_attr_bit(policydb_t *policydb, const char *attr_name)
-{
-    struct type_datum *attr = hashtab_search(policydb->p_types.table, (char *)attr_name);
-    if (!attr) {
-        fprintf(stderr, "Error: \"%s\" is not defined in this policy.\n", attr_name);
-        return -1;
-    }
-
-    if (attr->flavor != TYPE_ATTRIB) {
-        fprintf(stderr, "Error: \"%s\" is not an attribute in this policy.\n", attr_name);
-        return -1;
-    }
-
-    return attr->s.value - 1;
-}
-
-static bool ebitmap_attribute_assertion_init(ebitmap_t *assertions, const char * const attributes[])
-{
-
-    while (*attributes) {
-
-        int bit_pos = get_attr_bit(global_state.sepolicy.pdb, *attributes);
-        if (bit_pos < 0) {
-            /* get_attr_bit() logs error */
-            return false;
-        }
-
-        int err = ebitmap_set_bit(assertions, bit_pos, 1);
-        if (err) {
-            fprintf(stderr, "Error: setting bit on assertion ebitmap!\n");
-            return false;
-        }
-        attributes++;
-    }
-    return true;
-}
-
-static bool is_type_of_attribute_set(policydb_t *policydb, const char *type_name,
-        ebitmap_t *attr_set)
-{
-    struct type_datum *type = hashtab_search(policydb->p_types.table, (char *)type_name);
-    if (!type) {
-        fprintf(stderr, "Error: \"%s\" is not defined in this policy.\n", type_name);
-        return false;
-    }
-
-    if (type->flavor != TYPE_TYPE) {
-        fprintf(stderr, "Error: \"%s\" is not a type in this policy.\n", type_name);
-        return false;
-    }
-
-    ebitmap_t dst;
-    ebitmap_init(&dst);
-
-    /* Take the intersection, if the set is empty, then its a failure */
-    int rc = ebitmap_and(&dst, attr_set, &policydb->type_attr_map[type->s.value - 1]);
-    if (rc) {
-        fprintf(stderr, "Error: Could not perform ebitmap_and: %d\n", rc);
-        exit(1);
-    }
-
-    bool res = (bool)ebitmap_length(&dst);
-
-    ebitmap_destroy(&dst);
-    return res;
-}
-
-static void dump_char_array(FILE *stream, const char * const *strings)
-{
-
-    const char * const *p = strings;
-
-    fprintf(stream, "\"");
-
-    while (*p) {
-        const char *s = *p++;
-        const char *fmt = *p ? "%s, " : "%s\"";
-        fprintf(stream, fmt, s);
-    }
-}
-
-static int validate(char **contextp)
-{
-    bool res;
-    char *context = *contextp;
-
-    sepol_context_t *ctx;
-    int rc = sepol_context_from_string(global_state.sepolicy.handle, context,
-            &ctx);
-    if (rc < 0) {
-        fprintf(stderr, "Error: Could not allocate context from string");
-        exit(1);
-    }
-
-    rc = sepol_context_check(global_state.sepolicy.handle,
-            global_state.sepolicy.sdb, ctx);
-    if (rc < 0) {
-        goto out;
-    }
-
-    const char *type_name = sepol_context_get_type(ctx);
-
-    uint32_t len = ebitmap_length(&global_state.assert.set);
-    if (len > 0) {
-        res = !is_type_of_attribute_set(global_state.sepolicy.pdb, type_name,
-                &global_state.assert.set);
-        if (res) {
-            fprintf(stderr, "Error: type \"%s\" is not of set: ", type_name);
-            dump_char_array(stderr, global_state.assert.attrs);
-            fprintf(stderr, "\n");
-            /* The calls above did not affect rc, so set error before going to out */
-            rc = -1;
-            goto out;
-        }
-    }
-    /* Success: Although it should be 0, we explicitly set rc to 0 for clarity */
-    rc = 0;
-
- out:
-    sepol_context_free(ctx);
-    return rc;
-}
-
-static void usage(char *name) {
-    fprintf(stderr, "usage1:  %s [-p|-s] [-e] sepolicy context_file\n\n"
-        "Parses a context file and checks for syntax errors.\n"
-        "The context_file is assumed to be a file_contexts file\n"
-        "unless the -p or -s option is used to indicate the property or service backend respectively.\n"
-        "If -e is specified, then the context_file is allowed to be empty.\n\n"
-
-        "usage2:  %s -c file_contexts1 file_contexts2\n\n"
-        "Compares two file contexts files and reports one of subset, equal, superset, or incomparable.\n\n",
-        name, name);
-    exit(1);
-}
-
-static void cleanup(void) {
-
-    if (global_state.sepolicy.file) {
-        fclose(global_state.sepolicy.file);
-    }
-
-    if (global_state.sepolicy.sdb) {
-        sepol_policydb_free(global_state.sepolicy.sdb);
-    }
-
-    if (global_state.sepolicy.pf) {
-        sepol_policy_file_free(global_state.sepolicy.pf);
-    }
-
-    if (global_state.sepolicy.handle) {
-        sepol_handle_destroy(global_state.sepolicy.handle);
-    }
-
-    ebitmap_destroy(&global_state.assert.set);
-
-    int i;
-    for (i = 0; i < SEHANDLE_CNT; i++) {
-        struct selabel_handle *sehnd = global_state.sepolicy.sehnd[i];
-        if (sehnd) {
-            selabel_close(sehnd);
-        }
-    }
-}
-
-static void do_compare_and_die_on_error(struct selinux_opt opts[], unsigned int backend, char *paths[])
-{
-    enum selabel_cmp_result result;
-     char *result_str[] = { "subset", "equal", "superset", "incomparable" };
-     int i;
-
-     opts[0].value = NULL; /* not validating against a policy when comparing */
-
-     for (i = 0; i < SEHANDLE_CNT; i++) {
-         opts[1].value = paths[i];
-         global_state.sepolicy.sehnd[i] = selabel_open(backend, opts, 2);
-         if (!global_state.sepolicy.sehnd[i]) {
-             fprintf(stderr, "Error: could not load context file from %s\n", paths[i]);
-             exit(1);
-         }
-     }
-
-     result = selabel_cmp(global_state.sepolicy.sehnd[0], global_state.sepolicy.sehnd[1]);
-     printf("%s\n", result_str[result]);
-}
-
-static void do_fc_check_and_die_on_error(struct selinux_opt opts[], unsigned int backend, filemode mode,
-        const char *sepolicy_file, const char *context_file, bool allow_empty)
-{
-    struct stat sb;
-    if (stat(context_file, &sb) < 0) {
-        perror("Error: could not get stat on file contexts file");
-        exit(1);
-    }
-
-    if (sb.st_size == 0) {
-        /* Nothing to check on empty file_contexts file if allowed*/
-        if (allow_empty) {
-            return;
-        }
-        /* else: We could throw the error here, but libselinux backend will catch it */
-    }
-
-    global_state.sepolicy.file = fopen(sepolicy_file, "r");
-    if (!global_state.sepolicy.file) {
-      perror("Error: could not open policy file");
-      exit(1);
-    }
-
-    global_state.sepolicy.handle = sepol_handle_create();
-    if (!global_state.sepolicy.handle) {
-        fprintf(stderr, "Error: could not create policy handle: %s\n", strerror(errno));
-        exit(1);
-    }
-
-    if (sepol_policy_file_create(&global_state.sepolicy.pf) < 0) {
-      perror("Error: could not create policy handle");
-      exit(1);
-    }
-
-    sepol_policy_file_set_fp(global_state.sepolicy.pf, global_state.sepolicy.file);
-    sepol_policy_file_set_handle(global_state.sepolicy.pf, global_state.sepolicy.handle);
-
-    int rc = sepol_policydb_create(&global_state.sepolicy.sdb);
-    if (rc < 0) {
-      perror("Error: could not create policy db");
-      exit(1);
-    }
-
-    rc = sepol_policydb_read(global_state.sepolicy.sdb, global_state.sepolicy.pf);
-    if (rc < 0) {
-      perror("Error: could not read file into policy db");
-      exit(1);
-    }
-
-    global_state.assert.attrs = filemode_to_assert_attrs(mode);
-
-    bool ret = ebitmap_attribute_assertion_init(&global_state.assert.set, global_state.assert.attrs);
-    if (!ret) {
-        /* error messages logged by ebitmap_attribute_assertion_init() */
-        exit(1);
-    }
-
-    selinux_set_callback(SELINUX_CB_VALIDATE,
-                         (union selinux_callback)&validate);
-
-    opts[1].value = context_file;
-
-    global_state.sepolicy.sehnd[0] = selabel_open(backend, opts, 2);
-    if (!global_state.sepolicy.sehnd[0]) {
-      fprintf(stderr, "Error: could not load context file from %s\n", context_file);
-      exit(1);
-    }
-}
-
-int main(int argc, char **argv)
-{
-  struct selinux_opt opts[] = {
-    { SELABEL_OPT_VALIDATE, (void*)1 },
-    { SELABEL_OPT_PATH, NULL }
-  };
-
-  // Default backend unless changed by input argument.
-  unsigned int backend = SELABEL_CTX_FILE;
-
-  bool allow_empty = false;
-  bool compare = false;
-  char c;
-
-  filemode mode = filemode_file_contexts;
-
-  while ((c = getopt(argc, argv, "cpse")) != -1) {
-    switch (c) {
-      case 'c':
-        compare = true;
-        break;
-      case 'e':
-        allow_empty = true;
-        break;
-      case 'p':
-        mode = filemode_property_contexts;
-        backend = SELABEL_CTX_ANDROID_PROP;
-        break;
-      case 's':
-        mode = filemode_service_contexts;
-        backend = SELABEL_CTX_ANDROID_PROP;
-        break;
-      case 'h':
-      default:
-        usage(argv[0]);
-        break;
-    }
-  }
-
-  int index = optind;
-  if (argc - optind != 2) {
-    usage(argv[0]);
-  }
-
-  if (compare && backend != SELABEL_CTX_FILE) {
-    usage(argv[0]);
-  }
-
-  atexit(cleanup);
-
-  if (compare) {
-      do_compare_and_die_on_error(opts, backend, &(argv[index]));
-  } else {
-      /* remaining args are sepolicy file and context file  */
-      char *sepolicy_file = argv[index];
-      char *context_file = argv[index + 1];
-
-      do_fc_check_and_die_on_error(opts, backend, mode, sepolicy_file, context_file, allow_empty);
-  }
-  exit(0);
-}
diff --git a/tools/fc_sort/Android.mk b/tools/fc_sort/Android.mk
deleted file mode 100644
index f78d550..0000000
--- a/tools/fc_sort/Android.mk
+++ /dev/null
@@ -1,12 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := fc_sort
-LOCAL_MODULE_TAGS := optional
-LOCAL_SRC_FILES := fc_sort.c
-LOCAL_CXX_STL := none
-
-include $(BUILD_HOST_EXECUTABLE)
-
-###################################
diff --git a/tools/fc_sort/MODULE_LICENSE_GPL b/tools/fc_sort/MODULE_LICENSE_GPL
deleted file mode 100644
index e69de29..0000000
--- a/tools/fc_sort/MODULE_LICENSE_GPL
+++ /dev/null
diff --git a/tools/fc_sort/NOTICE b/tools/fc_sort/NOTICE
deleted file mode 100644
index 5b6e7c6..0000000
--- a/tools/fc_sort/NOTICE
+++ /dev/null
@@ -1,340 +0,0 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-			    NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) year name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
-Public License instead of this License.
diff --git a/tools/fc_sort/README b/tools/fc_sort/README
deleted file mode 100644
index 0210dc7..0000000
--- a/tools/fc_sort/README
+++ /dev/null
@@ -1,9 +0,0 @@
-fc_sort is a tool used for sorting the file_contexts entries based on a heuristic that is
- covered by a Fedora document. That document can be found here:
- * https://fedoraproject.org/wiki/SELinux/ManagingFileContext
-
-The tool itself originates from:
- * https://github.com/TresysTechnology/refpolicy
-
-It can be updated to the current tip of master branch with the below command:
-$ wget https://raw.githubusercontent.com/TresysTechnology/refpolicy/master/support/fc_sort.c
diff --git a/tools/fc_sort/fc_sort.c b/tools/fc_sort/fc_sort.c
deleted file mode 100644
index f4d2cd0..0000000
--- a/tools/fc_sort/fc_sort.c
+++ /dev/null
@@ -1,567 +0,0 @@
-/* Copyright 2005,2013 Tresys Technology
- *
- * Some parts of this came from matchpathcon.c in libselinux
- */
-
-/* PURPOSE OF THIS PROGRAM
- * The original setfiles sorting algorithm did not take into
- * account regular expression specificity. With the current
- * strict and targeted policies this is not an issue because
- * the file contexts are partially hand sorted and concatenated
- * in the right order so that the matches are generally correct.
- * The way reference policy and loadable policy modules handle
- * file contexts makes them come out in an unpredictable order
- * and therefore setfiles (or this standalone tool) need to sort
- * the regular expressions in a deterministic and stable way.
- */
-
-#define BUF_SIZE 4096;
-#define _GNU_SOURCE
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-
-typedef unsigned char bool_t;
-
-/* file_context_node
- * A node used in a linked list of file contexts.c
- * Each node contains the regular expression, the type and
- *  the context, as well as information about the regular
- *  expression. The regular expression data (meta, stem_len
- *  and str_len) can be filled in by using the fc_fill_data
- *  function after the regular expression has been loaded.
- * next points to the next node in the linked list.
- */
-typedef struct file_context_node {
-	char *path;
-	char *file_type;
-	char *context;
-	bool_t meta;
-	int stem_len;
-	int str_len;
-	struct file_context_node *next;
-} file_context_node_t;
-
-void file_context_node_destroy(file_context_node_t *x)
-{
-	free(x->path);
-	free(x->file_type);
-	free(x->context);
-}
-
-
-
-/* file_context_bucket
- * A node used in a linked list of buckets that contain
- *  file_context_node's.
- * Each node contains a pointer to a file_context_node which
- *  is the header of its linked list. This linked list is the
- *  content of this bucket.
- * next points to the next bucket in the linked list.
- */
-typedef struct file_context_bucket {
-	file_context_node_t *data;
-	struct file_context_bucket *next;
-} file_context_bucket_t;
-
-
-
-/* fc_compare
- * Compares two file contexts' regular expressions and returns:
- *    -1 if a is less specific than b
- *     0 if a and be are equally specific
- *     1 if a is more specific than b
- * The comparison is based on the following statements,
- *  in order from most important to least important, given a and b:
- *     If a is a regular expression and b is not,
- *      -> a is less specific than b.
- *     If a's stem length is shorter than b's stem length,
- *      -> a is less specific than b.
- *     If a's string length is shorter than b's string length,
- *      -> a is less specific than b.
- *     If a does not have a specified type and b does,
- *      -> a is less specific than b.
- */
-int fc_compare(file_context_node_t *a, file_context_node_t *b)
-{
-	/* Check to see if either a or b have meta characters
-	 *  and the other doesn't. */
-	if (a->meta && !b->meta)
-		return -1;
-	if (b->meta && !a->meta)
-		return 1;
-
-	/* Check to see if either a or b have a shorter stem
-	 *  length than the other. */
-	if (a->stem_len < b->stem_len)
-		return -1;
-	if (b->stem_len < a->stem_len)
-		return 1;
-
-	/* Check to see if either a or b have a shorter string
-	 *  length than the other. */
-	if (a->str_len < b->str_len)
-		return -1;
-	if (b->str_len < a->str_len)
-		return 1;
-
-	/* Check to see if either a or b has a specified type
-	 *  and the other doesn't. */
-	if (!a->file_type && b->file_type)
-		return -1;
-	if (!b->file_type && a->file_type)
-		return 1;
-
-	/* If none of the above conditions were satisfied,
-	 * then a and b are equally specific. */
-	return 0;
-}
-
-
-
-/* fc_merge
- * Merges two sorted file context linked lists into one
- *  sorted one.
- * Pass two lists a and b, and after the completion of fc_merge,
- *  the final list is contained in a, and b is empty.
- */
-file_context_node_t *fc_merge(file_context_node_t *a,
-				   file_context_node_t *b)
-{
-	file_context_node_t *a_current;
-	file_context_node_t *b_current;
-	file_context_node_t *temp;
-	file_context_node_t *jumpto;
-
-
-
-	/* If a is a empty list, and b is not,
-	 *  set a as b and proceed to the end. */
-	if (!a && b)
-		a = b;
-	/* If b is an empty list, leave a as it is. */
-	else if (!b) {
-	} else {
-		/* Make it so the list a has the lesser
-		 *  first element always. */
-		if (fc_compare(a, b) == 1) {
-			temp = a;
-			a = b;
-			b = temp;
-		}
-		a_current = a;
-		b_current = b;
-
-		/* Merge by inserting b's nodes in between a's nodes. */
-		while (a_current->next && b_current) {
-			jumpto = a_current->next;
-
-			/* Insert b's nodes in between the current a node
-			 *  and the next a node.*/
-			while (b_current && a_current->next &&
-			       fc_compare(a_current->next,
-					  b_current) != -1) {
-
-
-				temp = a_current->next;
-				a_current->next = b_current;
-				b_current = b_current->next;
-				a_current->next->next = temp;
-				a_current = a_current->next;
-			}
-
-			/* Skip all the inserted node from b to the
-			 *  next node in the original a. */
-			a_current = jumpto;
-		}
-
-
-		/* if there is anything left in b to be inserted,
-		   put it on the end */
-		if (b_current) {
-			a_current->next = b_current;
-		}
-	}
-
-	return a;
-}
-
-
-
-/* fc_merge_sort
- * Sorts file contexts from least specific to more specific.
- * The bucket linked list is passed and after the completion
- *  of the fc_merge_sort function, there is only one bucket
- *  (pointed to by master) that contains a linked list
- *  of all the file contexts, in sorted order.
- * Explanation of the algorithm:
- *  The algorithm implemented in fc_merge_sort is an iterative
- *   implementation of merge sort.
- *  At first, each bucket has a linked list of file contexts
- *   that are 1 element each.
- *  Each pass, each odd numbered bucket is merged into the bucket
- *   before it. This halves the number of buckets each pass.
- *  It will continue passing over the buckets (as described above)
- *   until there is only  one bucket left, containing the list of
- *   file contexts, sorted.
- */
-void fc_merge_sort(file_context_bucket_t *master)
-{
-
-
-	file_context_bucket_t *current;
-	file_context_bucket_t *temp;
-
-	/* Loop until master is the only bucket left
-	 * so that this will stop when master contains
-	 * the sorted list. */
-	while (master->next) {
-		current = master;
-
-		/* This loop merges buckets two-by-two. */
-		while (current) {
-
-			if (current->next) {
-
-				current->data =
-				    fc_merge(current->data,
-					     current->next->data);
-
-
-
-				temp = current->next;
-				current->next = current->next->next;
-
-				free(temp);
-
-			}
-
-
-			current = current->next;
-		}
-	}
-
-
-}
-
-
-
-/* fc_fill_data
- * This processes a regular expression in a file context
- *  and sets the data held in file_context_node, namely
- *  meta, str_len and stem_len.
- * The following changes are made to fc_node after the
- *  the completion of the function:
- *     fc_node->meta =		1 if path has a meta character, 0 if not.
- *     fc_node->str_len =	The string length of the entire path
- *     fc_node->stem_len = 	The number of characters up until
- *				 the first meta character.
- */
-void fc_fill_data(file_context_node_t *fc_node)
-{
-	int c = 0;
-
-	fc_node->meta = 0;
-	fc_node->stem_len = 0;
-	fc_node->str_len = 0;
-
-	/* Process until the string termination character
-	 *  has been reached.
-	 * Note: this while loop has been adapted from
-	 *  spec_hasMetaChars in matchpathcon.c from
-	 *  libselinux-1.22. */
-	while (fc_node->path[c] != '\0') {
-		switch (fc_node->path[c]) {
-		case '.':
-		case '^':
-		case '$':
-		case '?':
-		case '*':
-		case '+':
-		case '|':
-		case '[':
-		case '(':
-		case '{':
-			/* If a meta character is found,
-			 *  set meta to one */
-			fc_node->meta = 1;
-			break;
-		case '\\':
-			/* If a escape character is found,
-			 *  skip the next character. */
-			c++;
-		default:
-			/* If no meta character has been found yet,
-			 *  add one to the stem length. */
-			if (!fc_node->meta)
-				fc_node->stem_len++;
-			break;
-		}
-
-		fc_node->str_len++;
-		c++;
-	}
-}
-
-/* main
- * This program takes in two arguments, the input filename and the
- *  output filename. The input file should be syntactically correct.
- * Overall what is done in the main is read in the file and store each
- *  line of code, sort it, then output it to the output file.
- */
-int main(int argc, char *argv[])
-{
-	int lines;
-	size_t start, finish, regex_len, context_len;
-	size_t line_len, buf_len, i, j;
-	char *input_name, *output_name, *line_buf;
-
-	file_context_node_t *temp;
-	file_context_node_t *head;
-	file_context_node_t *current;
-	file_context_bucket_t *master;
-	file_context_bucket_t *bcurrent;
-
-	FILE *in_file, *out_file;
-
-
-	/* Check for the correct number of command line arguments. */
-	if (argc < 2 || argc > 3) {
-		fprintf(stderr, "Usage: %s <infile> [<outfile>]\n",argv[0]);
-		return 1;
-	}
-
-	input_name = argv[1];
-	output_name = (argc >= 3) ? argv[2] : NULL;
-
-	i = j = lines = 0;
-
-	/* Open the input file. */
-	if (!(in_file = fopen(input_name, "r"))) {
-		fprintf(stderr, "Error: failure opening input file for read.\n");
-		return 1;
-	}
-
-	/* Initialize the head of the linked list. */
-	head = current = (file_context_node_t*)malloc(sizeof(file_context_node_t));
-	head->next = NULL;
-
-	/* Parse the file into a file_context linked list. */
-	line_buf = NULL;
-
-	while ( getline(&line_buf, &buf_len, in_file) != -1 ){
-		line_len = strlen(line_buf);
-		if( line_len == 0 || line_len == 1)
-			continue;
-		/* Get rid of whitespace from the front of the line. */
-		for (i = 0; i < line_len; i++) {
-			if (!isspace(line_buf[i]))
-				break;
-		}
-
-
-		if (i >= line_len)
-			continue;
-		/* Check if the line isn't empty and isn't a comment */
-		if (line_buf[i] == '#')
-			continue;
-
-		/* We have a valid line - allocate a new node. */
-		temp = (file_context_node_t *)malloc(sizeof(file_context_node_t));
-		if (!temp) {
-			fprintf(stderr, "Error: failure allocating memory.\n");
-			return 1;
-		}
-		temp->next = NULL;
-		memset(temp, 0, sizeof(file_context_node_t));
-
-		/* Parse out the regular expression from the line. */
-		start = i;
-
-
-		while (i < line_len && (!isspace(line_buf[i])))
-			i++;
-		finish = i;
-
-
-		regex_len = finish - start;
-
-		if (regex_len == 0) {
-			file_context_node_destroy(temp);
-			free(temp);
-
-
-			continue;
-		}
-
-		temp->path = (char*)strndup(&line_buf[start], regex_len);
-		if (!temp->path) {
-			file_context_node_destroy(temp);
-			free(temp);
-			fprintf(stderr, "Error: failure allocating memory.\n");
-			return 1;
-		}
-
-		/* Get rid of whitespace after the regular expression. */
-		for (; i < line_len; i++) {
-
-			if (!isspace(line_buf[i]))
-				break;
-		}
-
-		if (i == line_len) {
-			file_context_node_destroy(temp);
-			free(temp);
-			continue;
-		}
-
-		/* Parse out the type from the line (if it
-			*  is there). */
-		if (line_buf[i] == '-') {
-			temp->file_type = (char *)malloc(sizeof(char) * 3);
-			if (!(temp->file_type)) {
-				fprintf(stderr, "Error: failure allocating memory.\n");
-				return 1;
-			}
-
-			if( i + 2 >= line_len ) {
-				file_context_node_destroy(temp);
-				free(temp);
-
-				continue;
-			}
-
-			/* Fill the type into the array. */
-			temp->file_type[0] = line_buf[i];
-			temp->file_type[1] = line_buf[i + 1];
-			i += 2;
-			temp->file_type[2] = 0;
-
-			/* Get rid of whitespace after the type. */
-			for (; i < line_len; i++) {
-				if (!isspace(line_buf[i]))
-					break;
-			}
-
-			if (i == line_len) {
-
-				file_context_node_destroy(temp);
-				free(temp);
-				continue;
-			}
-		}
-
-		/* Parse out the context from the line. */
-		start = i;
-		while (i < line_len && (!isspace(line_buf[i])))
-			i++;
-		finish = i;
-
-		context_len = finish - start;
-
-		temp->context = (char*)strndup(&line_buf[start], context_len);
-		if (!temp->context) {
-			file_context_node_destroy(temp);
-			free(temp);
-			fprintf(stderr, "Error: failure allocating memory.\n");
-			return 1;
-		}
-
-		/* Set all the data about the regular
-			*  expression. */
-		fc_fill_data(temp);
-
-		/* Link this line of code at the end of
-			*  the linked list. */
-		current->next = temp;
-		current = current->next;
-		lines++;
-
-
-		free(line_buf);
-		line_buf = NULL;
-	}
-	fclose(in_file);
-
-	/* Create the bucket linked list from the earlier linked list. */
-	current = head->next;
-	bcurrent = master =
-	    (file_context_bucket_t *)
-	    malloc(sizeof(file_context_bucket_t));
-	bcurrent->next = NULL;
-	bcurrent->data = NULL;
-
-	/* Go until all the nodes have been put in individual buckets. */
-	while (current) {
-		/* Copy over the file context line into the bucket. */
-		bcurrent->data = current;
-		current = current->next;
-
-		/* Detach the node in the bucket from the old list. */
-		bcurrent->data->next = NULL;
-
-		/* If there should be another bucket, put one at the end. */
-		if (current) {
-			bcurrent->next =
-			    (file_context_bucket_t *)
-			    malloc(sizeof(file_context_bucket_t));
-			if (!(bcurrent->next)) {
-				printf
-				    ("Error: failure allocating memory.\n");
-				return -1;
-			}
-
-			/* Make sure the new bucket thinks it's the end of the
-			 *  list. */
-			bcurrent->next->next = NULL;
-
-			bcurrent = bcurrent->next;
-		}
-
-	}
-
-	/* Sort the bucket list. */
-	fc_merge_sort(master);
-
-	/* Open the output file. */
-	if (output_name) {
-		if (!(out_file = fopen(output_name, "w"))) {
-			printf("Error: failure opening output file for write.\n");
-			return -1;
-		}
-	} else {
-		out_file = stdout;
-	}
-
-	/* Output the sorted file_context linked list to the output file. */
-	current = master->data;
-	while (current) {
-		/* Output the path. */
-		fprintf(out_file, "%s\t\t", current->path);
-
-		/* Output the type, if there is one. */
-		if (current->file_type) {
-			fprintf(out_file, "%s\t", current->file_type);
-		}
-
-		/* Output the context. */
-		fprintf(out_file, "%s\n", current->context);
-
-		/* Remove the node. */
-		temp = current;
-		current = current->next;
-
-		file_context_node_destroy(temp);
-		free(temp);
-
-	}
-	free(master);
-
-	if (output_name) {
-		fclose(out_file);
-	}
-
-	return 0;
-}
diff --git a/tools/insertkeys.py b/tools/insertkeys.py
deleted file mode 100755
index ca1e432..0000000
--- a/tools/insertkeys.py
+++ /dev/null
@@ -1,267 +0,0 @@
-#!/usr/bin/env python
-
-from xml.sax import saxutils, handler, make_parser
-from optparse import OptionParser
-import ConfigParser
-import logging
-import base64
-import sys
-import os
-
-__VERSION = (0, 1)
-
-'''
-This tool reads a mac_permissions.xml and replaces keywords in the signature
-clause with keys provided by pem files.
-'''
-
-class GenerateKeys(object):
-    def __init__(self, path):
-        '''
-        Generates an object with Base16 and Base64 encoded versions of the keys
-        found in the supplied pem file argument. PEM files can contain multiple
-        certs, however this seems to be unused in Android as pkg manager grabs
-        the first cert in the APK. This will however support multiple certs in
-        the resulting generation with index[0] being the first cert in the pem
-        file.
-        '''
-
-        self._base64Key = list()
-        self._base16Key = list()
-
-        if not os.path.isfile(path):
-            sys.exit("Path " + path + " does not exist or is not a file!")
-
-        pkFile = open(path, 'rb').readlines()
-        base64Key = ""
-        lineNo = 1
-        certNo = 1
-        inCert = False
-        for line in pkFile:
-            line = line.strip()
-            # Are we starting the certificate?
-            if line == "-----BEGIN CERTIFICATE-----":
-                if inCert:
-                    sys.exit("Encountered another BEGIN CERTIFICATE without END CERTIFICATE on " +
-                             "line: " + str(lineNo))
-
-                inCert = True
-
-            # Are we ending the ceritifcate?
-            elif line == "-----END CERTIFICATE-----":
-                if not inCert:
-                    sys.exit("Encountered END CERTIFICATE before BEGIN CERTIFICATE on line: "
-                            + str(lineNo))
-
-                # If we ended the certificate trip the flag
-                inCert = False
-
-                # Sanity check the input
-                if len(base64Key) == 0:
-                    sys.exit("Empty certficate , certificate "+ str(certNo) + " found in file: "
-                            + path)
-
-                # ... and append the certificate to the list
-                # Base 64 includes uppercase. DO NOT tolower()
-                self._base64Key.append(base64Key)
-                try:
-                    # Pkgmanager and setool see hex strings with lowercase, lets be consistent
-                    self._base16Key.append(base64.b16encode(base64.b64decode(base64Key)).lower())
-                except TypeError:
-                    sys.exit("Invalid certificate, certificate "+ str(certNo) + " found in file: "
-                            + path)
-
-                # After adding the key, reset the accumulator as pem files may have subsequent keys
-                base64Key=""
-
-                # And increment your cert number
-                certNo = certNo + 1
-
-            # If we haven't started the certificate, then we should not encounter any data
-            elif not inCert:
-                if line is not "":
-                    sys.exit("Detected erroneous line \""+ line + "\" on " + str(lineNo)
-                        + " in pem file: " + path)
-
-            # else we have started the certicate and need to append the data
-            elif inCert:
-                base64Key += line
-
-            else:
-                # We should never hit this assert, if we do then an unaccounted for state
-                # was entered that was NOT addressed by the if/elif statements above
-                assert(False == True)
-
-            # The last thing to do before looping up is to increment line number
-            lineNo = lineNo + 1
-
-    def __len__(self):
-        return len(self._base16Key)
-
-    def __str__(self):
-        return str(self.getBase16Keys())
-
-    def getBase16Keys(self):
-        return self._base16Key
-
-    def getBase64Keys(self):
-        return self._base64Key
-
-class ParseConfig(ConfigParser.ConfigParser):
-
-    # This must be lowercase
-    OPTION_WILDCARD_TAG = "all"
-
-    def generateKeyMap(self, target_build_variant, key_directory):
-
-        keyMap = dict()
-
-        for tag in self.sections():
-
-            options = self.options(tag)
-
-            for option in options:
-
-                # Only generate the key map for debug or release,
-                # not both!
-                if option != target_build_variant and \
-                option != ParseConfig.OPTION_WILDCARD_TAG:
-                    logging.info("Skipping " + tag + " : " + option +
-                        " because target build variant is set to " +
-                        str(target_build_variant))
-                    continue
-
-                if tag in keyMap:
-                    sys.exit("Duplicate tag detected " + tag)
-
-                tag_path = os.path.expandvars(self.get(tag, option))
-                path = os.path.join(key_directory, tag_path)
-
-                keyMap[tag] = GenerateKeys(path)
-
-                # Multiple certificates may exist in
-                # the pem file. GenerateKeys supports
-                # this however, the mac_permissions.xml
-                # as well as PMS do not.
-                assert len(keyMap[tag]) == 1
-
-        return keyMap
-
-class ReplaceTags(handler.ContentHandler):
-
-    DEFAULT_TAG = "default"
-    PACKAGE_TAG = "package"
-    POLICY_TAG = "policy"
-    SIGNER_TAG = "signer"
-    SIGNATURE_TAG = "signature"
-
-    TAGS_WITH_CHILDREN = [ DEFAULT_TAG, PACKAGE_TAG, POLICY_TAG, SIGNER_TAG ]
-
-    XML_ENCODING_TAG = '<?xml version="1.0" encoding="iso-8859-1"?>'
-
-    def __init__(self, keyMap, out=sys.stdout):
-
-        handler.ContentHandler.__init__(self)
-        self._keyMap = keyMap
-        self._out = out
-        self._out.write(ReplaceTags.XML_ENCODING_TAG)
-        self._out.write("<!-- AUTOGENERATED FILE DO NOT MODIFY -->")
-        self._out.write("<policy>")
-
-    def __del__(self):
-        self._out.write("</policy>")
-
-    def startElement(self, tag, attrs):
-        if tag == ReplaceTags.POLICY_TAG:
-            return
-
-        self._out.write('<' + tag)
-
-        for (name, value) in attrs.items():
-
-            if name == ReplaceTags.SIGNATURE_TAG and value in self._keyMap:
-                for key in self._keyMap[value].getBase16Keys():
-                    logging.info("Replacing " + name + " " + value + " with " + key)
-                    self._out.write(' %s="%s"' % (name, saxutils.escape(key)))
-            else:
-                self._out.write(' %s="%s"' % (name, saxutils.escape(value)))
-
-        if tag in ReplaceTags.TAGS_WITH_CHILDREN:
-            self._out.write('>')
-        else:
-            self._out.write('/>')
-
-    def endElement(self, tag):
-        if tag == ReplaceTags.POLICY_TAG:
-            return
-
-        if tag in ReplaceTags.TAGS_WITH_CHILDREN:
-            self._out.write('</%s>' % tag)
-
-    def characters(self, content):
-        if not content.isspace():
-            self._out.write(saxutils.escape(content))
-
-    def ignorableWhitespace(self, content):
-        pass
-
-    def processingInstruction(self, target, data):
-        self._out.write('<?%s %s?>' % (target, data))
-
-if __name__ == "__main__":
-
-    # Intentional double space to line up equls signs and opening " for
-    # readability.
-    usage  = "usage: %prog [options] CONFIG_FILE MAC_PERMISSIONS_FILE [MAC_PERMISSIONS_FILE...]\n"
-    usage += "This tool allows one to configure an automatic inclusion\n"
-    usage += "of signing keys into the mac_permision.xml file(s) from the\n"
-    usage += "pem files. If mulitple mac_permision.xml files are included\n"
-    usage += "then they are unioned to produce a final version."
-
-    version = "%prog " + str(__VERSION)
-
-    parser = OptionParser(usage=usage, version=version)
-
-    parser.add_option("-v", "--verbose",
-                      action="store_true", dest="verbose", default=False,
-                      help="Print internal operations to stdout")
-
-    parser.add_option("-o", "--output", default="stdout", dest="output_file",
-                      metavar="FILE", help="Specify an output file, default is stdout")
-
-    parser.add_option("-c", "--cwd", default=os.getcwd(), dest="root",
-                      metavar="DIR", help="Specify a root (CWD) directory to run this from, it" \
-                                          "chdirs' AFTER loading the config file")
-
-    parser.add_option("-t", "--target-build-variant", default="eng", dest="target_build_variant",
-                      help="Specify the TARGET_BUILD_VARIANT, defaults to eng")
-
-    parser.add_option("-d", "--key-directory", default="", dest="key_directory",
-                      help="Specify a parent directory for keys")
-
-    (options, args) = parser.parse_args()
-
-    if len(args) < 2:
-        parser.error("Must specify a config file (keys.conf) AND mac_permissions.xml file(s)!")
-
-    logging.basicConfig(level=logging.INFO if options.verbose == True else logging.WARN)
-
-    # Read the config file
-    config = ParseConfig()
-    config.read(args[0])
-
-    os.chdir(options.root)
-
-    output_file = sys.stdout if options.output_file == "stdout" else open(options.output_file, "w")
-    logging.info("Setting output file to: " + options.output_file)
-
-    # Generate the key list
-    key_map = config.generateKeyMap(options.target_build_variant.lower(), options.key_directory)
-    logging.info("Generate key map:")
-    for k in key_map:
-        logging.info(k + " : " + str(key_map[k]))
-    # Generate the XML file with markup replaced with keys
-    parser = make_parser()
-    parser.setContentHandler(ReplaceTags(key_map, output_file))
-    for f in args[1:]:
-        parser.parse(f)
diff --git a/tools/post_process_mac_perms b/tools/post_process_mac_perms
deleted file mode 100755
index 25893ed..0000000
--- a/tools/post_process_mac_perms
+++ /dev/null
@@ -1,106 +0,0 @@
-#!/usr/bin/env python
-#
-# Copyright (C) 2013 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""
-Tool to help modify an existing mac_permissions.xml with additional app
-certs not already found in that policy. This becomes useful when a directory
-containing apps is searched and the certs from those apps are added to the
-policy not already explicitly listed.
-"""
-
-import sys
-import os
-import argparse
-from base64 import b16encode, b64decode
-import fileinput
-import re
-import subprocess
-import zipfile
-
-PEM_CERT_RE = """-----BEGIN CERTIFICATE-----
-(.+?)
------END CERTIFICATE-----
-"""
-def collect_certs_for_app(filename):
-  app_certs = set()
-  with zipfile.ZipFile(filename, 'r') as apkzip:
-    for info in apkzip.infolist():
-      name = info.filename
-      if name.startswith('META-INF/') and name.endswith(('.DSA', '.RSA')):
-        cmd = ['openssl', 'pkcs7', '-inform', 'DER',
-               '-outform', 'PEM', '-print_certs']
-        p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE,
-                             stderr=subprocess.PIPE)
-        pem_string, err = p.communicate(apkzip.read(name))
-        if err and err.strip():
-          raise RuntimeError('Problem running openssl on %s (%s)' % (filename, e))
-
-        # turn multiline base64 to single line base16
-        transform = lambda x: b16encode(b64decode(x.replace('\n', ''))).lower()
-        results = re.findall(PEM_CERT_RE, pem_string, re.DOTALL)
-        certs = [transform(i) for i in results]
-
-        app_certs.update(certs)
-
-  return app_certs
-
-def add_leftover_certs(args):
-  all_app_certs = set()
-  for dirpath, _, files in os.walk(args.dir):
-    transform = lambda x: os.path.join(dirpath, x)
-    condition = lambda x: x.endswith('.apk')
-    apps = [transform(i) for i in files if condition(i)]
-
-    # Collect certs for each app found
-    for app in apps:
-      app_certs = collect_certs_for_app(app)
-      all_app_certs.update(app_certs)
-
-  if all_app_certs:
-    policy_certs = set()
-    with open(args.policy, 'r') as f:
-      cert_pattern = 'signature="([a-fA-F0-9]+)"'
-      policy_certs = re.findall(cert_pattern, f.read())
-
-    cert_diff = all_app_certs.difference(policy_certs)
-
-    # Build xml stanzas
-    inner_tag = '<seinfo value="%s"/>' % args.seinfo
-    stanza = '<signer signature="%s">%s</signer>'
-    new_stanzas = [stanza % (cert, inner_tag) for cert in cert_diff]
-    mac_perms_string = ''.join(new_stanzas)
-    mac_perms_string += '</policy>'
-
-    # Inline replace with new policy stanzas
-    for line in fileinput.input(args.policy, inplace=True):
-      sys.stdout.write(line.replace('</policy>', mac_perms_string))
-
-def main(argv):
-  parser = argparse.ArgumentParser(description=__doc__)
-
-  parser.add_argument('-s', '--seinfo', dest='seinfo', required=True,
-                      help='seinfo tag for each generated stanza')
-  parser.add_argument('-d', '--dir', dest='dir', required=True,
-                      help='Directory to search for apks')
-  parser.add_argument('-f', '--file', dest='policy', required=True,
-                      help='mac_permissions.xml policy file')
-
-  parser.set_defaults(func=add_leftover_certs)
-  args = parser.parse_args()
-  args.func(args)
-
-if __name__ == '__main__':
-  main(sys.argv)
diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk
deleted file mode 100644
index 7568351..0000000
--- a/tools/sepolicy-analyze/Android.mk
+++ /dev/null
@@ -1,14 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-###################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy-analyze
-LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/selinux/libsepol/include
-LOCAL_CFLAGS := -Wall -Werror
-LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c
-LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_CXX_STL := none
-
-include $(BUILD_HOST_EXECUTABLE)
diff --git a/tools/sepolicy-analyze/README b/tools/sepolicy-analyze/README
deleted file mode 100644
index d18609a..0000000
--- a/tools/sepolicy-analyze/README
+++ /dev/null
@@ -1,94 +0,0 @@
-sepolicy-analyze
-    A component-ized tool for performing various kinds of analysis on a
-    sepolicy file.  The current kinds of analysis that are currently
-    supported include:
-
-    TYPE EQUIVALENCE (typecmp)
-    sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -e
-
-    Display all type pairs that are "equivalent", i.e. they are
-    identical with respect to allow rules, including indirect allow
-    rules via attributes and default-enabled conditional rules
-    (i.e. default boolean values yield a true conditional expression).
-
-    Equivalent types are candidates for being coalesced into a single
-    type.  However, there may be legitimate reasons for them to remain
-    separate, for example: - the types may differ in a respect not
-    included in the current analysis, such as default-disabled
-    conditional rules, audit-related rules (auditallow or dontaudit),
-    default type transitions, or constraints (e.g. mls), or - the
-    current policy may be overly permissive with respect to one or the
-    other of the types and thus the correct action may be to tighten
-    access to one or the other rather than coalescing them together,
-    or - the domains that would in fact have different accesses to the
-    types may not yet be defined or may be unconfined in the policy
-    you are analyzing.
-
-    TYPE DIFFERENCE (typecmp)
-    sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -d
-
-    Display type pairs that differ and the first difference found
-    between the two types.  This may be used in looking for similar
-    types that are not equivalent but may be candidates for coalescing.
-
-    DUPLICATE ALLOW RULES (dups)
-    sepolicy-analyze out/target/product/<board>/root/sepolicy dups
-
-    Displays duplicate allow rules, i.e. pairs of allow rules that
-    grant the same permissions where one allow rule is written
-    directly in terms of individual types and the other is written in
-    terms of attributes associated with those same types.  The rule
-    with individual types is a candidate for removal.  The rule with
-    individual types may be directly represented in the source policy
-    or may be a result of expansion of a type negation (e.g. domain
-    -foo -bar is expanded to individual allow rules by the policy
-    compiler).  Domains with unconfineddomain will typically have such
-    duplicate rules as a natural side effect and can be ignored.
-
-    PERMISSIVE DOMAINS (permissive)
-    sepolicy-analyze out/target/product/<board>/root/sepolicy permissive
-
-    Displays domains in the policy that are permissive, i.e. avc
-    denials are logged but not enforced for these domains.  While
-    permissive domains can be helpful during development, they
-    should not be present in a final -user build.
-
-    BOOLEANS (booleans)
-    sepolicy-analyze out/target/product/<board>/root/sepolicy booleans
-
-    Displays the boolean names in the policy (if any).
-    Policy booleans are forbidden in Android policy, so if there is any
-    output, the policy will fail CTS.
-
-    ATTRIBUTE (attribute)
-    sepolicy-analyze out/target/product/<board>/root/sepolicy attribute <name>
-
-    Displays the types associated with the specified attribute name.
-
-    NEVERALLOW CHECKING (neverallow)
-    sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \
-    [-w] [-d] [-f neverallows.conf] | [-n "neverallow string"]
-
-    Check whether the sepolicy file violates any of the neverallow rules
-    from the neverallows.conf file or a given string,  which contain neverallow
-    statements in the same format as the SELinux policy.conf file, i.e. after
-    m4 macro expansion of the rules from a .te file.  You can use an entire
-    policy.conf file as the neverallows.conf file and sepolicy-analyze will
-    ignore everything except for the neverallows within it.  You can also
-    specify this as a command-line string argument, which could be useful for
-    quickly checking an individual expanded rule or group of rules. If there are
-    no violations, sepolicy-analyze will exit successfully with no output.
-    Otherwise, sepolicy-analyze will report all violations and exit
-    with a non-zero exit status.
-
-    The -w or --warn option may be used to warn on any types, attributes,
-    classes, or permissions from a neverallow rule that could not be resolved
-    within the sepolicy file.  This can be normal due to differences between
-    the policy from which the neverallow rules were taken and the policy
-    being checked.  Such values are ignored for the purposes of neverallow
-    checking.
-
-    The -d or --debug option may be used to cause sepolicy-analyze to emit the
-    neverallow rules as it parses them.  This is principally a debugging facility
-    for the parser but could also be used to extract neverallow rules from
-    a full policy.conf file and output them in a more easily parsed format.
diff --git a/tools/sepolicy-analyze/attribute.c b/tools/sepolicy-analyze/attribute.c
deleted file mode 100644
index 474bda2..0000000
--- a/tools/sepolicy-analyze/attribute.c
+++ /dev/null
@@ -1,39 +0,0 @@
-#include "attribute.h"
-
-void attribute_usage() {
-    fprintf(stderr, "\tattribute <attribute-name>\n");
-}
-
-static int list_attribute(policydb_t * policydb, char *name)
-{
-    struct type_datum *attr;
-    struct ebitmap_node *n;
-    unsigned int bit;
-
-    attr = hashtab_search(policydb->p_types.table, name);
-    if (!attr) {
-        fprintf(stderr, "%s is not defined in this policy.\n", name);
-        return -1;
-    }
-
-    if (attr->flavor != TYPE_ATTRIB) {
-        fprintf(stderr, "%s is a type not an attribute in this policy.\n", name);
-        return -1;
-    }
-
-    ebitmap_for_each_bit(&policydb->attr_type_map[attr->s.value - 1], n, bit) {
-        if (!ebitmap_node_get_bit(n, bit))
-            continue;
-        printf("%s\n", policydb->p_type_val_to_name[bit]);
-    }
-
-    return 0;
-}
-
-int attribute_func (int argc, char **argv, policydb_t *policydb) {
-    if (argc != 2) {
-        USAGE_ERROR = true;
-        return -1;
-    }
-    return list_attribute(policydb, argv[1]);
-}
diff --git a/tools/sepolicy-analyze/attribute.h b/tools/sepolicy-analyze/attribute.h
deleted file mode 100644
index 05adcbd..0000000
--- a/tools/sepolicy-analyze/attribute.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef ATTRIBUTE_H
-#define ATTRIBUTE_H
-
-#include <sepol/policydb/policydb.h>
-
-#include "utils.h"
-
-void attribute_usage(void);
-int attribute_func(int argc, char **argv, policydb_t *policydb);
-
-#endif /* ATTRIBUTE_H */
diff --git a/tools/sepolicy-analyze/booleans.c b/tools/sepolicy-analyze/booleans.c
deleted file mode 100644
index c3b605d..0000000
--- a/tools/sepolicy-analyze/booleans.c
+++ /dev/null
@@ -1,22 +0,0 @@
-#include "booleans.h"
-
-void booleans_usage() {
-    fprintf(stderr, "\tbooleans\n");
-}
-
-static int list_booleans(hashtab_key_t k,
-                         __attribute__ ((unused)) hashtab_datum_t d,
-                         __attribute__ ((unused)) void *args)
-{
-    const char *name = k;
-    printf("%s\n", name);
-    return 0;
-}
-
-int booleans_func (int argc, __attribute__ ((unused)) char **argv, policydb_t *policydb) {
-    if (argc != 1) {
-        USAGE_ERROR = true;
-        return -1;
-    }
-    return hashtab_map(policydb->p_bools.table, list_booleans, NULL);
-}
diff --git a/tools/sepolicy-analyze/booleans.h b/tools/sepolicy-analyze/booleans.h
deleted file mode 100644
index bfbe0e1..0000000
--- a/tools/sepolicy-analyze/booleans.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef BOOLEANS_H
-#define BOOLEANS_H
-
-#include <sepol/policydb/policydb.h>
-
-#include "utils.h"
-
-void booleans_usage(void);
-int booleans_func(int argc, char **argv, policydb_t *policydb);
-
-#endif /* BOOLEANS_H */
diff --git a/tools/sepolicy-analyze/dups.c b/tools/sepolicy-analyze/dups.c
deleted file mode 100644
index 88c2be2..0000000
--- a/tools/sepolicy-analyze/dups.c
+++ /dev/null
@@ -1,91 +0,0 @@
-#include <stdbool.h>
-#include <stdio.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-
-#include "dups.h"
-
-void dups_usage() {
-    fprintf(stderr, "\tdups\n");
-}
-
-static int find_dups_helper(avtab_key_t * k, avtab_datum_t * d,
-                            void *args)
-{
-    policydb_t *policydb = args;
-    ebitmap_t *sattr, *tattr;
-    ebitmap_node_t *snode, *tnode;
-    unsigned int i, j;
-    avtab_key_t avkey;
-    avtab_ptr_t node;
-    struct type_datum *stype, *ttype, *stype2, *ttype2;
-    bool attrib1, attrib2;
-
-    if (!(k->specified & AVTAB_ALLOWED))
-        return 0;
-
-    if (k->source_type == k->target_type)
-        return 0; /* self rule */
-
-    avkey.target_class = k->target_class;
-    avkey.specified = k->specified;
-
-    sattr = &policydb->type_attr_map[k->source_type - 1];
-    tattr = &policydb->type_attr_map[k->target_type - 1];
-    stype = policydb->type_val_to_struct[k->source_type - 1];
-    ttype = policydb->type_val_to_struct[k->target_type - 1];
-    attrib1 = stype->flavor || ttype->flavor;
-    ebitmap_for_each_bit(sattr, snode, i) {
-        if (!ebitmap_node_get_bit(snode, i))
-            continue;
-        ebitmap_for_each_bit(tattr, tnode, j) {
-            if (!ebitmap_node_get_bit(tnode, j))
-                continue;
-            avkey.source_type = i + 1;
-            avkey.target_type = j + 1;
-            if (avkey.source_type == k->source_type &&
-                avkey.target_type == k->target_type)
-                continue;
-            if (avkey.source_type == avkey.target_type)
-                continue; /* self rule */
-            stype2 = policydb->type_val_to_struct[avkey.source_type - 1];
-            ttype2 = policydb->type_val_to_struct[avkey.target_type - 1];
-            attrib2 = stype2->flavor || ttype2->flavor;
-            if (attrib1 && attrib2)
-                continue; /* overlapping attribute-based rules */
-            for (node = avtab_search_node(&policydb->te_avtab, &avkey);
-                 node != NULL;
-                 node = avtab_search_node_next(node, avkey.specified)) {
-                uint32_t perms = node->datum.data & d->data;
-                if ((attrib1 && perms == node->datum.data) ||
-                    (attrib2 && perms == d->data)) {
-                    /*
-                     * The attribute-based rule is a superset of the
-                     * non-attribute-based rule.  This is a dup.
-                     */
-                    printf("Duplicate allow rule found:\n");
-                    display_allow(policydb, k, i, d->data);
-                    display_allow(policydb, &node->key, i, node->datum.data);
-                    printf("\n");
-                }
-            }
-        }
-    }
-
-    return 0;
-}
-
-static int find_dups(policydb_t * policydb)
-{
-    if (avtab_map(&policydb->te_avtab, find_dups_helper, policydb))
-        return -1;
-    return 0;
-}
-
-int dups_func (int argc, __attribute__ ((unused)) char **argv, policydb_t *policydb) {
-    if (argc != 1) {
-        USAGE_ERROR = true;
-        return -1;
-    }
-    return find_dups(policydb);
-}
diff --git a/tools/sepolicy-analyze/dups.h b/tools/sepolicy-analyze/dups.h
deleted file mode 100644
index 0e77224..0000000
--- a/tools/sepolicy-analyze/dups.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef DUPS_H
-#define DUPS_H
-
-#include <sepol/policydb/policydb.h>
-
-#include "utils.h"
-
-void dups_usage(void);
-int dups_func(int argc, char **argv, policydb_t *policydb);
-
-#endif /* DUPS_H */
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
deleted file mode 100644
index b288ea7..0000000
--- a/tools/sepolicy-analyze/neverallow.c
+++ /dev/null
@@ -1,515 +0,0 @@
-#include <ctype.h>
-#include <fcntl.h>
-#include <getopt.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <sys/mman.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include "neverallow.h"
-
-static int debug;
-static int warn;
-
-void neverallow_usage() {
-    fprintf(stderr, "\tneverallow [-w|--warn] [-d|--debug] [-n|--neverallows <neverallow-rules>] | [-f|--file <neverallow-file>]\n");
-}
-
-static int read_typeset(policydb_t *policydb, char **ptr, char *end,
-                        type_set_t *typeset, uint32_t *flags)
-{
-    const char *keyword = "self";
-    size_t keyword_size = strlen(keyword), len;
-    char *p = *ptr;
-    unsigned openparens = 0;
-    char *start, *id;
-    type_datum_t *type;
-    struct ebitmap_node *n;
-    unsigned int bit;
-    bool negate = false;
-    int rc;
-
-    do {
-        while (p < end && isspace(*p))
-            p++;
-
-        if (p == end)
-            goto err;
-
-        if (*p == '~') {
-            if (debug)
-                printf(" ~");
-            typeset->flags = TYPE_COMP;
-            p++;
-            while (p < end && isspace(*p))
-                p++;
-            if (p == end)
-                goto err;
-        }
-
-        if (*p == '{') {
-            if (debug && !openparens)
-                printf(" {");
-            openparens++;
-            p++;
-            continue;
-        }
-
-        if (*p == '}') {
-            if (debug && openparens == 1)
-                printf(" }");
-            if (openparens == 0)
-                goto err;
-            openparens--;
-            p++;
-            continue;
-        }
-
-        if (*p == '*') {
-            if (debug)
-                printf(" *");
-            typeset->flags = TYPE_STAR;
-            p++;
-            continue;
-        }
-
-        if (*p == '-') {
-            if (debug)
-                printf(" -");
-            negate = true;
-            p++;
-            continue;
-        }
-
-        if (*p == '#') {
-            while (p < end && *p != '\n')
-                p++;
-            continue;
-        }
-
-        start = p;
-        while (p < end && !isspace(*p) && *p != ':' && *p != ';' && *p != '{' && *p != '}' && *p != '#')
-            p++;
-
-        if (p == start)
-            goto err;
-
-        len = p - start;
-        if (len == keyword_size && !strncmp(start, keyword, keyword_size)) {
-            if (debug)
-                printf(" self");
-            *flags |= RULE_SELF;
-            continue;
-        }
-
-        id = calloc(1, len + 1);
-        if (!id)
-            goto err;
-        memcpy(id, start, len);
-        if (debug)
-            printf(" %s", id);
-        type = hashtab_search(policydb->p_types.table, id);
-        if (!type) {
-            if (warn)
-                fprintf(stderr, "Warning!  Type or attribute %s used in neverallow undefined in policy being checked.\n", id);
-            negate = false;
-            continue;
-        }
-        free(id);
-
-        if (type->flavor == TYPE_ATTRIB) {
-            if (negate)
-                rc = ebitmap_union(&typeset->negset, &policydb->attr_type_map[type->s.value - 1]);
-            else
-                rc = ebitmap_union(&typeset->types, &policydb->attr_type_map[type->s.value - 1]);
-        } else if (negate) {
-            rc = ebitmap_set_bit(&typeset->negset, type->s.value - 1, 1);
-        } else {
-            rc = ebitmap_set_bit(&typeset->types, type->s.value - 1, 1);
-        }
-
-        negate = false;
-
-        if (rc)
-            goto err;
-
-    } while (p < end && openparens);
-
-    if (p == end)
-        goto err;
-
-    if (typeset->flags & TYPE_STAR) {
-        for (bit = 0; bit < policydb->p_types.nprim; bit++) {
-            if (ebitmap_get_bit(&typeset->negset, bit))
-                continue;
-            if (policydb->type_val_to_struct[bit] &&
-                policydb->type_val_to_struct[bit]->flavor == TYPE_ATTRIB)
-                continue;
-            if (ebitmap_set_bit(&typeset->types, bit, 1))
-                goto err;
-        }
-    }
-
-    ebitmap_for_each_bit(&typeset->negset, n, bit) {
-        if (!ebitmap_node_get_bit(n, bit))
-            continue;
-        if (ebitmap_set_bit(&typeset->types, bit, 0))
-            goto err;
-    }
-
-    if (typeset->flags & TYPE_COMP) {
-        for (bit = 0; bit < policydb->p_types.nprim; bit++) {
-            if (policydb->type_val_to_struct[bit] &&
-                policydb->type_val_to_struct[bit]->flavor == TYPE_ATTRIB)
-                continue;
-            if (ebitmap_get_bit(&typeset->types, bit))
-                ebitmap_set_bit(&typeset->types, bit, 0);
-            else {
-                if (ebitmap_set_bit(&typeset->types, bit, 1))
-                    goto err;
-            }
-        }
-    }
-
-    if (warn && ebitmap_length(&typeset->types) == 0 && !(*flags))
-        fprintf(stderr, "Warning!  Empty type set\n");
-
-    *ptr = p;
-    return 0;
-err:
-    return -1;
-}
-
-static int read_classperms(policydb_t *policydb, char **ptr, char *end,
-                           class_perm_node_t **perms)
-{
-    char *p = *ptr;
-    unsigned openparens = 0;
-    char *id, *start;
-    class_datum_t *cls = NULL;
-    perm_datum_t *perm = NULL;
-    class_perm_node_t *classperms = NULL, *node = NULL;
-    bool complement = false;
-
-    while (p < end && isspace(*p))
-        p++;
-
-    if (p == end || *p != ':')
-        goto err;
-    p++;
-
-    if (debug)
-        printf(" :");
-
-    do {
-        while (p < end && isspace(*p))
-            p++;
-
-        if (p == end)
-            goto err;
-
-        if (*p == '{') {
-            if (debug && !openparens)
-                printf(" {");
-            openparens++;
-            p++;
-            continue;
-        }
-
-        if (*p == '}') {
-            if (debug && openparens == 1)
-                printf(" }");
-            if (openparens == 0)
-                goto err;
-            openparens--;
-            p++;
-            continue;
-        }
-
-        if (*p == '#') {
-            while (p < end && *p != '\n')
-                p++;
-            continue;
-        }
-
-        start = p;
-        while (p < end && !isspace(*p) && *p != '{' && *p != '}' && *p != ';' && *p != '#')
-            p++;
-
-        if (p == start)
-            goto err;
-
-        id = calloc(1, p - start + 1);
-        if (!id)
-            goto err;
-        memcpy(id, start, p - start);
-        if (debug)
-            printf(" %s", id);
-        cls = hashtab_search(policydb->p_classes.table, id);
-        if (!cls) {
-            if (warn)
-                fprintf(stderr, "Warning!  Class %s used in neverallow undefined in policy being checked.\n", id);
-            continue;
-        }
-
-        node = calloc(1, sizeof *node);
-        if (!node)
-            goto err;
-        node->tclass = cls->s.value;
-        node->next = classperms;
-        classperms = node;
-        free(id);
-    } while (p < end && openparens);
-
-    if (p == end)
-        goto err;
-
-    if (warn && !classperms)
-        fprintf(stderr, "Warning!  Empty class set\n");
-
-    do {
-        while (p < end && isspace(*p))
-            p++;
-
-        if (p == end)
-            goto err;
-
-        if (*p == '~') {
-            if (debug)
-                printf(" ~");
-            complement = true;
-            p++;
-            while (p < end && isspace(*p))
-                p++;
-            if (p == end)
-                goto err;
-        }
-
-        if (*p == '{') {
-            if (debug && !openparens)
-                printf(" {");
-            openparens++;
-            p++;
-            continue;
-        }
-
-        if (*p == '}') {
-            if (debug && openparens == 1)
-                printf(" }");
-            if (openparens == 0)
-                goto err;
-            openparens--;
-            p++;
-            continue;
-        }
-
-        if (*p == '#') {
-            while (p < end && *p != '\n')
-                p++;
-            continue;
-        }
-
-        start = p;
-        while (p < end && !isspace(*p) && *p != '{' && *p != '}' && *p != ';' && *p != '#')
-            p++;
-
-        if (p == start)
-            goto err;
-
-        id = calloc(1, p - start + 1);
-        if (!id)
-            goto err;
-        memcpy(id, start, p - start);
-        if (debug)
-            printf(" %s", id);
-
-        if (!strcmp(id, "*")) {
-            for (node = classperms; node; node = node->next)
-                node->data = ~0;
-            continue;
-        }
-
-        for (node = classperms; node; node = node->next) {
-            cls = policydb->class_val_to_struct[node->tclass-1];
-            perm = hashtab_search(cls->permissions.table, id);
-            if (cls->comdatum && !perm)
-                perm = hashtab_search(cls->comdatum->permissions.table, id);
-            if (!perm) {
-                if (warn)
-                    fprintf(stderr, "Warning!  Permission %s used in neverallow undefined in class %s in policy being checked.\n", id, policydb->p_class_val_to_name[node->tclass-1]);
-                continue;
-            }
-            node->data |= 1U << (perm->s.value - 1);
-        }
-        free(id);
-    } while (p < end && openparens);
-
-    if (p == end)
-        goto err;
-
-    if (complement) {
-        for (node = classperms; node; node = node->next)
-            node->data = ~node->data;
-    }
-
-    if (warn) {
-        for (node = classperms; node; node = node->next)
-            if (!node->data)
-                fprintf(stderr, "Warning!  Empty permission set\n");
-    }
-
-    *perms = classperms;
-    *ptr = p;
-    return 0;
-err:
-    return -1;
-}
-
-static int check_neverallows(policydb_t *policydb, char *text, char *end)
-{
-    const char *keyword = "neverallow";
-    size_t keyword_size = strlen(keyword), len;
-    struct avrule *neverallows = NULL, *avrule;
-    char *p, *start;
-
-    p = text;
-    while (p < end) {
-        while (p < end && isspace(*p))
-            p++;
-
-        if (*p == '#') {
-            while (p < end && *p != '\n')
-                p++;
-            continue;
-        }
-
-        start = p;
-        while (p < end && !isspace(*p))
-            p++;
-
-        len = p - start;
-        if (len != keyword_size || strncmp(start, keyword, keyword_size))
-            continue;
-
-        if (debug)
-            printf("neverallow");
-
-        avrule = calloc(1, sizeof *avrule);
-        if (!avrule)
-            goto err;
-
-        avrule->specified = AVRULE_NEVERALLOW;
-
-        if (read_typeset(policydb, &p, end, &avrule->stypes, &avrule->flags))
-            goto err;
-
-        if (read_typeset(policydb, &p, end, &avrule->ttypes, &avrule->flags))
-            goto err;
-
-        if (read_classperms(policydb, &p, end, &avrule->perms))
-            goto err;
-
-        while (p < end && *p != ';')
-            p++;
-
-        if (p == end || *p != ';')
-            goto err;
-
-        if (debug)
-            printf(";\n");
-
-        avrule->next = neverallows;
-        neverallows = avrule;
-    }
-
-    if (!neverallows)
-        goto err;
-
-    return check_assertions(NULL, policydb, neverallows);
-err:
-    if (errno == ENOMEM) {
-        fprintf(stderr, "Out of memory while parsing neverallow rules\n");
-    } else
-        fprintf(stderr, "Error while parsing neverallow rules\n");
-    return -1;
-}
-
-static int check_neverallows_file(policydb_t *policydb, const char *filename)
-{
-    int fd;
-    struct stat sb;
-    char *text, *end;
-
-    fd = open(filename, O_RDONLY);
-    if (fd < 0) {
-        fprintf(stderr, "Could not open %s:  %s\n", filename, strerror(errno));
-        return -1;
-    }
-    if (fstat(fd, &sb) < 0) {
-        fprintf(stderr, "Can't stat '%s':  %s\n", filename, strerror(errno));
-        close(fd);
-        return -1;
-    }
-    text = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-    end = text + sb.st_size;
-    if (text == MAP_FAILED) {
-        fprintf(stderr, "Can't mmap '%s':  %s\n", filename, strerror(errno));
-        close(fd);
-        return -1;
-    }
-    close(fd);
-    return check_neverallows(policydb, text, end);
-}
-
-static int check_neverallows_string(policydb_t *policydb, char *string, size_t len)
-{
-    char *text, *end;
-    text = string;
-    end = text + len;
-    return check_neverallows(policydb, text, end);
-}
-
-int neverallow_func (int argc, char **argv, policydb_t *policydb) {
-    char *rules = 0, *file = 0;
-    char ch;
-
-    struct option neverallow_options[] = {
-        {"debug", no_argument, NULL, 'd'},
-        {"file_input", required_argument, NULL, 'f'},
-        {"neverallow", required_argument, NULL, 'n'},
-        {"warn", no_argument, NULL, 'w'},
-        {NULL, 0, NULL, 0}
-    };
-
-    while ((ch = getopt_long(argc, argv, "df:n:w", neverallow_options, NULL)) != -1) {
-        switch (ch) {
-        case 'd':
-            debug = 1;
-            break;
-        case 'f':
-            file = optarg;
-            break;
-        case 'n':
-            rules = optarg;
-            break;
-        case 'w':
-            warn = 1;
-            break;
-        default:
-            USAGE_ERROR = true;
-            return -1;
-        }
-    }
-
-    if (!(rules || file) || (rules && file)){
-        USAGE_ERROR = true;
-        return -1;
-    }
-    if (file) {
-        return check_neverallows_file(policydb, file);
-    } else {
-        return check_neverallows_string(policydb, rules, strlen(rules));
-    }
-}
diff --git a/tools/sepolicy-analyze/neverallow.h b/tools/sepolicy-analyze/neverallow.h
deleted file mode 100644
index be80822..0000000
--- a/tools/sepolicy-analyze/neverallow.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef NEVERALLOW_H
-#define NEVERALLOW_H
-
-#include <sepol/policydb/policydb.h>
-
-#include "utils.h"
-
-void neverallow_usage(void);
-int neverallow_func(int argc, char **argv, policydb_t *policydb);
-
-#endif /* NEVERALLOW_H */
diff --git a/tools/sepolicy-analyze/perm.c b/tools/sepolicy-analyze/perm.c
deleted file mode 100644
index 4cc4869..0000000
--- a/tools/sepolicy-analyze/perm.c
+++ /dev/null
@@ -1,30 +0,0 @@
-#include "perm.h"
-
-void permissive_usage() {
-    fprintf(stderr, "\tpermissive\n");
-}
-
-static int list_permissive(policydb_t * policydb)
-{
-    struct ebitmap_node *n;
-    unsigned int bit;
-
-    /*
-     * iterate over all domains and check if domain is in permissive
-     */
-    ebitmap_for_each_bit(&policydb->permissive_map, n, bit)
-    {
-        if (ebitmap_node_get_bit(n, bit)) {
-            printf("%s\n", policydb->p_type_val_to_name[bit -1]);
-        }
-    }
-    return 0;
-}
-
-int permissive_func (int argc, __attribute__ ((unused)) char **argv, policydb_t *policydb) {
-    if (argc != 1) {
-        USAGE_ERROR = true;
-        return -1;
-    }
-    return list_permissive(policydb);
-}
diff --git a/tools/sepolicy-analyze/perm.h b/tools/sepolicy-analyze/perm.h
deleted file mode 100644
index 16e619a..0000000
--- a/tools/sepolicy-analyze/perm.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef PERM_H
-#define PERM_H
-
-#include <sepol/policydb/policydb.h>
-
-#include "utils.h"
-
-void permissive_usage(void);
-int permissive_func(int argc, char **argv, policydb_t *policydb);
-
-#endif /* PERM_H */
diff --git a/tools/sepolicy-analyze/sepolicy-analyze.c b/tools/sepolicy-analyze/sepolicy-analyze.c
deleted file mode 100644
index b70eaaa..0000000
--- a/tools/sepolicy-analyze/sepolicy-analyze.c
+++ /dev/null
@@ -1,65 +0,0 @@
-#include <stddef.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "dups.h"
-#include "neverallow.h"
-#include "perm.h"
-#include "typecmp.h"
-#include "booleans.h"
-#include "attribute.h"
-#include "utils.h"
-
-#define NUM_COMPONENTS (int) (sizeof(analyze_components)/sizeof(analyze_components[0]))
-
-#define COMP(x) { #x, sizeof(#x) - 1, x ##_usage, x ##_func }
-static struct {
-    const char *key;
-    size_t keylen;
-    void (*usage) (void);
-    int (*func) (int argc, char **argv, policydb_t *policydb);
-} analyze_components[] = {
-    COMP(dups),
-    COMP(neverallow),
-    COMP(permissive),
-    COMP(typecmp),
-    COMP(booleans),
-    COMP(attribute)
-};
-
-void usage(char *arg0)
-{
-    int i;
-
-    fprintf(stderr, "%s must be called on a policy file with a component and the appropriate arguments specified\n", arg0);
-    fprintf(stderr, "%s <policy-file>:\n", arg0);
-    for(i = 0; i < NUM_COMPONENTS; i++) {
-        analyze_components[i].usage();
-    }
-    exit(1);
-}
-
-int main(int argc, char **argv)
-{
-    char *policy;
-    struct policy_file pf;
-    policydb_t policydb;
-    int rc;
-    int i;
-
-    if (argc < 3)
-        usage(argv[0]);
-    policy = argv[1];
-    if(load_policy(policy, &policydb, &pf))
-        exit(1);
-    for(i = 0; i < NUM_COMPONENTS; i++) {
-        if (!strcmp(analyze_components[i].key, argv[2])) {
-            rc = analyze_components[i].func(argc - 2, argv + 2, &policydb);
-            if (rc && USAGE_ERROR) {
-                usage(argv[0]); }
-            return rc;
-        }
-    }
-    usage(argv[0]);
-    exit(0);
-}
diff --git a/tools/sepolicy-analyze/typecmp.c b/tools/sepolicy-analyze/typecmp.c
deleted file mode 100644
index 5fffd63..0000000
--- a/tools/sepolicy-analyze/typecmp.c
+++ /dev/null
@@ -1,295 +0,0 @@
-#include <getopt.h>
-#include <sepol/policydb/expand.h>
-
-#include "typecmp.h"
-
-void typecmp_usage() {
-    fprintf(stderr, "\ttypecmp [-d|--diff] [-e|--equiv]\n");
-}
-
-static int insert_type_rule(avtab_key_t * k, avtab_datum_t * d,
-                            struct avtab_node *type_rules)
-{
-    struct avtab_node *p, *c, *n;
-
-    for (p = type_rules, c = type_rules->next; c; p = c, c = c->next) {
-        /*
-         * Find the insertion point, keeping the list
-         * ordered by source type, then target type, then
-         * target class.
-         */
-        if (k->source_type < c->key.source_type)
-            break;
-        if (k->source_type == c->key.source_type &&
-            k->target_type < c->key.target_type)
-            break;
-        if (k->source_type == c->key.source_type &&
-            k->target_type == c->key.target_type &&
-            k->target_class <= c->key.target_class)
-            break;
-    }
-
-    if (c &&
-        k->source_type == c->key.source_type &&
-        k->target_type == c->key.target_type &&
-        k->target_class == c->key.target_class) {
-        c->datum.data |= d->data;
-        return 0;
-    }
-
-    /* Insert the rule */
-    n = malloc(sizeof(struct avtab_node));
-    if (!n) {
-        fprintf(stderr, "out of memory\n");
-        exit(1);
-    }
-
-    n->key = *k;
-    n->datum = *d;
-    n->next = p->next;
-    p->next = n;
-    return 0;
-}
-
-static int create_type_rules_helper(avtab_key_t * k, avtab_datum_t * d,
-                                    void *args)
-{
-    struct avtab_node *type_rules = args;
-    avtab_key_t key;
-
-    /*
-     * Insert the rule into the list for
-     * the source type.  The source type value
-     * is cleared as we want to compare against other type
-     * rules with different source types.
-     */
-    key = *k;
-    key.source_type = 0;
-    if (k->source_type == k->target_type) {
-        /* Clear target type as well; this is a self rule. */
-        key.target_type = 0;
-    }
-    if (insert_type_rule(&key, d, &type_rules[k->source_type - 1]))
-        return -1;
-
-    if (k->source_type == k->target_type)
-        return 0;
-
-    /*
-     * If the target type differs, then we also
-     * insert the rule into the list for the target
-     * type.  We clear the target type value so that
-     * we can compare against other type rules with
-     * different target types.
-     */
-    key = *k;
-    key.target_type = 0;
-    if (insert_type_rule(&key, d, &type_rules[k->target_type - 1]))
-        return -1;
-
-    return 0;
-}
-
-static int create_type_rules(avtab_key_t * k, avtab_datum_t * d, void *args)
-{
-    if (k->specified & AVTAB_ALLOWED)
-        return create_type_rules_helper(k, d, args);
-    return 0;
-}
-
-static int create_type_rules_cond(avtab_key_t * k, avtab_datum_t * d,
-                                  void *args)
-{
-    if ((k->specified & (AVTAB_ALLOWED|AVTAB_ENABLED)) ==
-        (AVTAB_ALLOWED|AVTAB_ENABLED))
-        return create_type_rules_helper(k, d, args);
-    return 0;
-}
-
-static void free_type_rules(struct avtab_node *l)
-{
-    struct avtab_node *tmp;
-
-    while (l) {
-        tmp = l;
-        l = l->next;
-        free(tmp);
-    }
-}
-
-static int find_match(policydb_t *policydb, struct avtab_node *l1,
-                      int idx1, struct avtab_node *l2, int idx2)
-{
-    struct avtab_node *c;
-    uint32_t perms1, perms2;
-
-    for (c = l2; c; c = c->next) {
-        if (l1->key.source_type < c->key.source_type)
-            break;
-        if (l1->key.source_type == c->key.source_type &&
-            l1->key.target_type < c->key.target_type)
-            break;
-        if (l1->key.source_type == c->key.source_type &&
-            l1->key.target_type == c->key.target_type &&
-            l1->key.target_class <= c->key.target_class)
-            break;
-    }
-
-    if (c &&
-        l1->key.source_type == c->key.source_type &&
-        l1->key.target_type == c->key.target_type &&
-        l1->key.target_class == c->key.target_class) {
-        perms1 = l1->datum.data & ~c->datum.data;
-        perms2 = c->datum.data & ~l1->datum.data;
-        if (perms1 || perms2) {
-            if (perms1)
-                display_allow(policydb, &l1->key, idx1, perms1);
-            if (perms2)
-                display_allow(policydb, &c->key, idx2, perms2);
-            printf("\n");
-            return 1;
-        }
-    }
-
-    return 0;
-}
-
-static int analyze_types(policydb_t * policydb, char diff, char equiv)
-{
-    avtab_t exp_avtab, exp_cond_avtab;
-    struct avtab_node *type_rules, *l1, *l2;
-    struct type_datum *type;
-    size_t i, j;
-
-    /*
-     * Create a list of access vector rules for each type
-     * from the access vector table.
-     */
-    type_rules = malloc(sizeof(struct avtab_node) * policydb->p_types.nprim);
-    if (!type_rules) {
-        fprintf(stderr, "out of memory\n");
-        exit(1);
-    }
-    memset(type_rules, 0, sizeof(struct avtab_node) * policydb->p_types.nprim);
-
-    if (avtab_init(&exp_avtab) || avtab_init(&exp_cond_avtab)) {
-        fputs("out of memory\n", stderr);
-        return -1;
-    }
-
-    if (expand_avtab(policydb, &policydb->te_avtab, &exp_avtab)) {
-        fputs("out of memory\n", stderr);
-        avtab_destroy(&exp_avtab);
-        return -1;
-    }
-
-    if (expand_avtab(policydb, &policydb->te_cond_avtab, &exp_cond_avtab)) {
-        fputs("out of memory\n", stderr);
-        avtab_destroy(&exp_avtab); /*  */
-        return -1;
-    }
-
-    if (avtab_map(&exp_avtab, create_type_rules, type_rules))
-        exit(1);
-
-    if (avtab_map(&exp_cond_avtab, create_type_rules_cond, type_rules))
-        exit(1);
-
-    avtab_destroy(&exp_avtab);
-    avtab_destroy(&exp_cond_avtab);
-
-    /*
-     * Compare the type lists and identify similar types.
-     */
-    for (i = 0; i < policydb->p_types.nprim - 1; i++) {
-        if (!type_rules[i].next)
-            continue;
-        type = policydb->type_val_to_struct[i];
-        if (type->flavor) {
-            free_type_rules(type_rules[i].next);
-            type_rules[i].next = NULL;
-            continue;
-        }
-        for (j = i + 1; j < policydb->p_types.nprim; j++) {
-            type = policydb->type_val_to_struct[j];
-            if (type->flavor) {
-                free_type_rules(type_rules[j].next);
-                type_rules[j].next = NULL;
-                continue;
-            }
-            for (l1 = type_rules[i].next, l2 = type_rules[j].next;
-                 l1 && l2; l1 = l1->next, l2 = l2->next) {
-                if (l1->key.source_type != l2->key.source_type)
-                    break;
-                if (l1->key.target_type != l2->key.target_type)
-                    break;
-                if (l1->key.target_class != l2->key.target_class
-                    || l1->datum.data != l2->datum.data)
-                    break;
-            }
-            if (l1 || l2) {
-                if (diff) {
-                    printf
-                        ("Types %s and %s differ, starting with:\n",
-                         policydb->p_type_val_to_name[i],
-                         policydb->p_type_val_to_name[j]);
-
-                    if (l1 && l2) {
-                        if (find_match(policydb, l1, i, l2, j))
-                            continue;
-                        if (find_match(policydb, l2, j, l1, i))
-                            continue;
-                    }
-                    if (l1)
-                        display_allow(policydb, &l1->key, i, l1->datum.data);
-                    if (l2)
-                        display_allow(policydb, &l2->key, j, l2->datum.data);
-                    printf("\n");
-                }
-                continue;
-            }
-            free_type_rules(type_rules[j].next);
-            type_rules[j].next = NULL;
-            if (equiv) {
-                printf("Types %s and %s are equivalent.\n",
-                       policydb->p_type_val_to_name[i],
-                       policydb->p_type_val_to_name[j]);
-            }
-        }
-        free_type_rules(type_rules[i].next);
-        type_rules[i].next = NULL;
-    }
-
-    free(type_rules);
-    return 0;
-}
-
-int typecmp_func (int argc, char **argv, policydb_t *policydb) {
-    char ch, diff = 0, equiv = 0;
-
-    struct option typecmp_options[] = {
-        {"diff", no_argument, NULL, 'd'},
-        {"equiv", no_argument, NULL, 'e'},
-        {NULL, 0, NULL, 0}
-    };
-
-    while ((ch = getopt_long(argc, argv, "de", typecmp_options, NULL)) != -1) {
-        switch (ch) {
-        case 'd':
-            diff = 1;
-            break;
-        case 'e':
-            equiv = 1;
-            break;
-        default:
-            USAGE_ERROR = true;
-            return -1;
-        }
-    }
-
-    if (!(diff || equiv)) {
-        USAGE_ERROR = true;
-        return -1;
-    }
-    return analyze_types(policydb, diff, equiv);
-}
diff --git a/tools/sepolicy-analyze/typecmp.h b/tools/sepolicy-analyze/typecmp.h
deleted file mode 100644
index f93daaa..0000000
--- a/tools/sepolicy-analyze/typecmp.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef TYPECMP_H
-#define TYPECMP_H
-
-#include <sepol/policydb/policydb.h>
-
-#include "utils.h"
-
-void typecmp_usage(void);
-int typecmp_func(int argc, char **argv, policydb_t *policydb);
-
-#endif /* TYPECMP_H */
diff --git a/tools/sepolicy-analyze/utils.c b/tools/sepolicy-analyze/utils.c
deleted file mode 100644
index 5e52f59..0000000
--- a/tools/sepolicy-analyze/utils.c
+++ /dev/null
@@ -1,68 +0,0 @@
-#include <fcntl.h>
-#include <sepol/policydb/policydb.h>
-#include <sepol/policydb/util.h>
-#include <sys/mman.h>
-#include <sys/stat.h>
-#include <unistd.h>
-
-#include "utils.h"
-
-bool USAGE_ERROR = false;
-
-void display_allow(policydb_t *policydb, avtab_key_t *key, int idx, uint32_t perms)
-{
-    printf("    allow %s %s:%s { %s };\n",
-           policydb->p_type_val_to_name[key->source_type
-                                        ? key->source_type - 1 : idx],
-           key->target_type == key->source_type ? "self" :
-           policydb->p_type_val_to_name[key->target_type
-                                        ? key->target_type - 1 : idx],
-           policydb->p_class_val_to_name[key->target_class - 1],
-           sepol_av_to_string
-           (policydb, key->target_class, perms));
-}
-
-int load_policy(char *filename, policydb_t * policydb, struct policy_file *pf)
-{
-    int fd;
-    struct stat sb;
-    void *map;
-    int ret;
-
-    fd = open(filename, O_RDONLY);
-    if (fd < 0) {
-        fprintf(stderr, "Can't open '%s':  %s\n", filename, strerror(errno));
-        return 1;
-    }
-    if (fstat(fd, &sb) < 0) {
-        fprintf(stderr, "Can't stat '%s':  %s\n", filename, strerror(errno));
-        close(fd);
-        return 1;
-    }
-    map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-    if (map == MAP_FAILED) {
-        fprintf(stderr, "Can't mmap '%s':  %s\n", filename, strerror(errno));
-        close(fd);
-        return 1;
-    }
-
-    policy_file_init(pf);
-    pf->type = PF_USE_MEMORY;
-    pf->data = map;
-    pf->len = sb.st_size;
-    if (policydb_init(policydb)) {
-        fprintf(stderr, "Could not initialize policydb!\n");
-        close(fd);
-        munmap(map, sb.st_size);
-        return 1;
-    }
-    ret = policydb_read(policydb, pf, 0);
-    if (ret) {
-        fprintf(stderr, "error(s) encountered while parsing configuration\n");
-        close(fd);
-        munmap(map, sb.st_size);
-        return 1;
-    }
-
-    return 0;
-}
diff --git a/tools/sepolicy-analyze/utils.h b/tools/sepolicy-analyze/utils.h
deleted file mode 100644
index 83f5a78..0000000
--- a/tools/sepolicy-analyze/utils.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#ifndef UTILS_H
-#define UTILS_H
-
-#include <stdbool.h>
-#include <stdint.h>
-#include <sepol/policydb/avtab.h>
-#include <sepol/policydb/policydb.h>
-
-
-extern bool USAGE_ERROR;
-
-void display_allow(policydb_t *policydb, avtab_key_t *key, int idx, uint32_t perms);
-
-int load_policy(char *filename, policydb_t * policydb, struct policy_file *pf);
-
-#endif /* UTILS_H */
diff --git a/tools/sepolicy-check.c b/tools/sepolicy-check.c
deleted file mode 100644
index 713e7c1..0000000
--- a/tools/sepolicy-check.c
+++ /dev/null
@@ -1,296 +0,0 @@
-#include <getopt.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <sys/mman.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <sepol/policydb/policydb.h>
-#include <sepol/policydb/services.h>
-#include <sepol/policydb/expand.h>
-
-#define EQUALS 0
-#define NOT 1
-#define ANY 2
-
-void usage(char *arg0) {
-	fprintf(stderr, "%s -s <source> -t <target> -c <class> -p <perm> -P <policy file>\n", arg0);
-	exit(1);
-}
-
-void *cmalloc(size_t s) {
-	void *t = malloc(s);
-	if (t == NULL) {
-		fprintf(stderr, "Out of memory\n");
-		exit(1);
-	}
-	return t;
-}
-
-int parse_ops(char **arg) {
-	switch (*arg[0]) {
-		case '-':
-			*arg = *arg + 1;
-			return NOT;
-		case '*':
-			return ANY;
-		default:
-			return EQUALS;
-	}
-}
-
-int check(int op, uint16_t arg1, uint16_t arg2) {
-	switch (op) {
-		case EQUALS:
-			return arg1 == arg2;
-		case NOT:
-			return arg1 != arg2;
-		case ANY:
-			return 1;
-		default:
-			fprintf(stderr, "Bad op while checking!");
-			return 2;
-	}
-}
-
-int check_perm(avtab_ptr_t current, perm_datum_t *perm) {
-	uint16_t perm_bitmask = 1U << (perm->s.value - 1);
-	return (current->datum.data & perm_bitmask) != 0;
-}
-
-
-int expand_and_check(int s_op, uint32_t source_type,
-		     int t_op, uint32_t target_type,
-		     int c_op, uint32_t target_class,
-		     perm_datum_t *perm, policydb_t *policy, avtab_t *avtab) {
-	avtab_t exp_avtab;
-	avtab_ptr_t cur;
-	unsigned int i;
-	int match;
-
-	if (avtab_init(&exp_avtab)) {
-		fputs("out of memory\n", stderr);
-		return -1;
-	}
-
-	if (expand_avtab(policy, avtab, &exp_avtab)) {
-		fputs("out of memory\n", stderr);
-		avtab_destroy(&exp_avtab);
-		return -1;
-	}
-
-	for (i = 0; i < exp_avtab.nslot; i++) {
-		for (cur = exp_avtab.htable[i]; cur; cur = cur->next) {
-			match = 1;
-			match &= check(s_op, source_type, cur->key.source_type);
-			match &= check(t_op, target_type, cur->key.target_type);
-			match &= check(c_op, target_class, cur->key.target_class);
-			match &= check_perm(cur, perm);
-			if (match) {
-				avtab_destroy(&exp_avtab);
-				return 1;
-			}
-		}
-	}
-
-	avtab_destroy(&exp_avtab);
-	return 0;
-}
-
-/*
- * Checks to see if a rule matching the given arguments already exists.
- *
- * The format for the arguments is as follows:
- *
- * - A bare string is treated as a literal and will be matched by equality.
- * - A string starting with "-" will be matched by inequality.
- * - A string starting with "*" will be treated as a wildcard.
- *
- * The return codes for this function are as follows:
- *
- * - 0 indicates a successful return without a match
- * - 1 indicates a successful return with a match
- * - -1 indicates an error
- */
-int check_rule(char *s, char *t, char *c, char *p, policydb_t *policy) {
-	type_datum_t *src = NULL;
-	type_datum_t *tgt = NULL;
-	class_datum_t *cls = NULL;
-	perm_datum_t *perm = NULL;
-	int s_op = parse_ops(&s);
-	int t_op = parse_ops(&t);
-	int c_op = parse_ops(&c);
-	int p_op = parse_ops(&p);
-	avtab_key_t key;
-	int match;
-
-	key.source_type = key.target_type = key.target_class = 0;
-
-	if (s_op != ANY) {
-		src = hashtab_search(policy->p_types.table, s);
-		if (src == NULL) {
-			fprintf(stderr, "source type %s does not exist\n", s);
-			return -1;
-		}
-	}
-	if (t_op != ANY) {
-		tgt = hashtab_search(policy->p_types.table, t);
-		if (tgt == NULL) {
-			fprintf(stderr, "target type %s does not exist\n", t);
-			return -1;
-		}
-	}
-	if (c_op != ANY) {
-		cls = hashtab_search(policy->p_classes.table, c);
-		if (cls == NULL) {
-			fprintf(stderr, "class %s does not exist\n", c);
-			return -1;
-		}
-	}
-	if (p_op != ANY) {
-		perm = hashtab_search(cls->permissions.table, p);
-		if (perm == NULL) {
-			if (cls->comdatum == NULL) {
-				fprintf(stderr, "perm %s does not exist in class %s\n", p, c);
-				return -1;
-			}
-			perm = hashtab_search(cls->comdatum->permissions.table, p);
-			if (perm == NULL) {
-				fprintf(stderr, "perm %s does not exist in class %s\n", p, c);
-				return -1;
-			}
-		}
-	}
-
-	if (s_op != ANY)
-		key.source_type = src->s.value;
-	if (t_op != ANY)
-		key.target_type = tgt->s.value;
-	if (c_op != ANY)
-		key.target_class = cls->s.value;
-
-	/* Check unconditional rules after attribute expansion. */
-	match = expand_and_check(s_op, key.source_type,
-				 t_op, key.target_type,
-				 c_op, key.target_class,
-				 perm, policy, &policy->te_avtab);
-	if (match)
-		return match;
-
-	/* Check conditional rules after attribute expansion. */
-	return expand_and_check(s_op, key.source_type,
-				t_op, key.target_type,
-				c_op, key.target_class,
-				perm, policy, &policy->te_cond_avtab);
-}
-
-int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) {
-	int fd;
-	struct stat sb;
-	void *map;
-	int ret;
-
-	fd = open(filename, O_RDONLY);
-	if (fd < 0) {
-		fprintf(stderr, "Can't open '%s':  %s\n", filename, strerror(errno));
-		return 1;
-	}
-	if (fstat(fd, &sb) < 0) {
-		fprintf(stderr, "Can't stat '%s':  %s\n", filename, strerror(errno));
-		close(fd);
-		return 1;
-	}
-	map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-	if (map == MAP_FAILED) {
-		fprintf(stderr, "Can't mmap '%s':  %s\n", filename, strerror(errno));
-		close(fd);
-		return 1;
-	}
-
-	policy_file_init(pf);
-	pf->type = PF_USE_MEMORY;
-	pf->data = map;
-	pf->len = sb.st_size;
-	if (policydb_init(policydb)) {
-		fprintf(stderr, "Could not initialize policydb!\n");
-		close(fd);
-		munmap(map, sb.st_size);
-		return 1;
-	}
-	ret = policydb_read(policydb, pf, 0);
-	if (ret) {
-		fprintf(stderr, "error(s) encountered while parsing configuration\n");
-		close(fd);
-		munmap(map, sb.st_size);
-		return 1;
-	}
-
-	return 0;
-}
-
-
-int main(int argc, char **argv)
-{
-	char *policy = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL;
-	policydb_t policydb;
-	struct policy_file pf;
-	sidtab_t sidtab;
-	char ch;
-	int match = 1;
-
-	struct option long_options[] = {
-			{"source", required_argument, NULL, 's'},
-			{"target", required_argument, NULL, 't'},
-			{"class", required_argument, NULL, 'c'},
-			{"perm", required_argument, NULL, 'p'},
-			{"policy", required_argument, NULL, 'P'},
-			{NULL, 0, NULL, 0}
-	};
-
-	while ((ch = getopt_long(argc, argv, "s:t:c:p:P:", long_options, NULL)) != -1) {
-		switch (ch) {
-			case 's':
-				source = optarg;
-				break;
-			case 't':
-				target = optarg;
-				break;
-			case 'c':
-				class = optarg;
-				break;
-			case 'p':
-				perm = optarg;
-				break;
-			case 'P':
-				policy = optarg;
-				break;
-			default:
-				usage(argv[0]);
-		}
-	}
-
-	if (!source || !target || !class || !perm || !policy)
-		usage(argv[0]);
-
-	sepol_set_policydb(&policydb);
-	sepol_set_sidtab(&sidtab);
-
-	if (load_policy(policy, &policydb, &pf))
-		goto out;
-
-	match = check_rule(source, target, class, perm, &policydb);
-	if (match < 0) {
-		fprintf(stderr, "Error checking rules!\n");
-		goto out;
-	} else if (match > 0) {
-		printf("Match found!\n");
-		goto out;
-	}
-
-	match = 0;
-
-out:
-	policydb_destroy(&policydb);
-	return match;
-}
diff --git a/tzdatacheck.te b/tzdatacheck.te
deleted file mode 100644
index f61cb47..0000000
--- a/tzdatacheck.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# The tzdatacheck command run by init.
-type tzdatacheck, domain, domain_deprecated;
-type tzdatacheck_exec, exec_type, file_type;
-
-init_daemon_domain(tzdatacheck)
-
-allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
-allow tzdatacheck zoneinfo_data_file:file unlink;
diff --git a/ueventd.te b/ueventd.te
deleted file mode 100644
index f67c0db..0000000
--- a/ueventd.te
+++ /dev/null
@@ -1,42 +0,0 @@
-# ueventd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type ueventd, domain, domain_deprecated;
-tmpfs_domain(ueventd)
-
-# TODO: why is ueventd using __kmsg__ when it should just create
-# and use /dev/kmsg instead?
-type_transition ueventd device:chr_file klog_device "__kmsg__";
-allow ueventd klog_device:chr_file { create open write unlink };
-
-allow ueventd init:process sigchld;
-allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
-allow ueventd device:file create_file_perms;
-allow ueventd device:chr_file rw_file_perms;
-allow ueventd sysfs:file rw_file_perms;
-allow ueventd sysfs_hwrandom:file w_file_perms;
-allow ueventd sysfs_zram_uevent:file w_file_perms;
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
-allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
-allow ueventd tmpfs:chr_file rw_file_perms;
-allow ueventd dev_type:dir create_dir_perms;
-allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { create setattr unlink };
-allow ueventd dev_type:blk_file { create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
-allow ueventd efs_file:dir search;
-allow ueventd efs_file:file r_file_perms;
-
-# Use setfscreatecon() to label /dev directories and files.
-allow ueventd self:process setfscreate;
-
-#####
-##### neverallow rules
-#####
-
-# ueventd must never set properties, otherwise deadlocks may occur.
-# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
-# No writing to the property socket, connecting to init, or setting properties.
-neverallow ueventd property_socket:sock_file write;
-neverallow ueventd init:unix_stream_socket connectto;
-neverallow ueventd property_type:property_service set;
diff --git a/uncrypt.te b/uncrypt.te
deleted file mode 100644
index 9231a4d..0000000
--- a/uncrypt.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# uncrypt
-type uncrypt, domain, domain_deprecated, mlstrustedsubject;
-type uncrypt_exec, exec_type, file_type;
-
-init_daemon_domain(uncrypt)
-
-allow uncrypt self:capability dac_override;
-
-# Read OTA zip file from /data/data/com.google.android.gsf/app_download
-r_dir_file(uncrypt, app_data_file)
-
-userdebug_or_eng(`
-  # For debugging, allow /data/local/tmp access
-  r_dir_file(uncrypt, shell_data_file)
-')
-
-# Read /cache/recovery/command
-# Read /cache/recovery/uncrypt_file
-# Write to pipe file /cache/recovery/uncrypt_status
-allow uncrypt cache_recovery_file:dir rw_dir_perms;
-allow uncrypt cache_recovery_file:file create_file_perms;
-allow uncrypt cache_recovery_file:fifo_file w_file_perms;
-
-# Set a property to reboot the device.
-set_prop(uncrypt, powerctl_prop)
-
-# Raw writes to block device
-allow uncrypt self:capability sys_rawio;
-allow uncrypt misc_block_device:blk_file w_file_perms;
-allow uncrypt block_device:dir r_dir_perms;
-
-# Access userdata block device.
-allow uncrypt userdata_block_device:blk_file w_file_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
deleted file mode 100644
index 47ccb55..0000000
--- a/untrusted_app.te
+++ /dev/null
@@ -1,178 +0,0 @@
-###
-### Untrusted apps.
-###
-### This file defines the rules for untrusted apps.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory).  The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml.  In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key.  To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-### untrusted_app includes all the appdomain rules, plus the
-### additional following rules:
-###
-
-type untrusted_app, domain;
-app_domain(untrusted_app)
-net_domain(untrusted_app)
-bluetooth_domain(untrusted_app)
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow untrusted_app app_data_file:file { rx_file_perms execmod };
-
-# ASEC
-allow untrusted_app asec_apk_file:file r_file_perms;
-# Execute libs in asec containers.
-allow untrusted_app asec_public_file:file { execute execmod };
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app)
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-# TODO: Long term, we don't want apps probing into shell data files.
-# Figure out a way to remove these rules.
-allow untrusted_app shell_data_file:file r_file_perms;
-allow untrusted_app shell_data_file:dir r_dir_perms;
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_app system_app_data_file:file { read write getattr };
-
-#
-# Rules migrated from old app domains coalesced into untrusted_app.
-# This includes what used to be media_app, shared_app, and release_app.
-#
-
-# Access to /data/media.
-allow untrusted_app media_rw_data_file:dir create_dir_perms;
-allow untrusted_app media_rw_data_file:file create_file_perms;
-
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_app mnt_media_rw_file:dir search;
-
-# allow cts to query all services
-allow untrusted_app servicemanager:service_manager list;
-
-allow untrusted_app drmserver_service:service_manager find;
-allow untrusted_app mediaserver_service:service_manager find;
-allow untrusted_app nfc_service:service_manager find;
-allow untrusted_app radio_service:service_manager find;
-allow untrusted_app surfaceflinger_service:service_manager find;
-allow untrusted_app app_api_service:service_manager find;
-
-# Allow GMS core to access perfprofd output, which is stored
-# in /data/misc/perfprofd/. GMS core will need to list all
-# data stored in that directory to process them one by one.
-userdebug_or_eng(`
-  allow untrusted_app perfprofd_data_file:file r_file_perms;
-  allow untrusted_app perfprofd_data_file:dir r_dir_perms;
-')
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow untrusted_app self:process ptrace;
-
-# Programs routinely attempt to scan through /system, looking
-# for files. Suppress the denials when they occur.
-dontaudit untrusted_app exec_type:file getattr;
-
-# TODO: switch to meminfo service
-allow untrusted_app proc_meminfo:file r_file_perms;
-
-# access /proc/net/xt_qtguid/stats
-r_dir_file(untrusted_app, proc_net)
-
-# Cts: HwRngTest
-allow untrusted_app sysfs_hwrandom:dir search;
-allow untrusted_app sysfs_hwrandom:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# Receive or send uevent messages.
-neverallow untrusted_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow untrusted_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow untrusted_app debugfs_type:file read;
-
-# Do not allow untrusted apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow untrusted_app service_manager_type:service_manager add;
-
-# Do not allow untrusted_apps to connect to the property service
-# or set properties. b/10243159
-neverallow untrusted_app property_socket:sock_file write;
-neverallow untrusted_app init:unix_stream_socket connectto;
-neverallow untrusted_app property_type:property_service set;
-
-# Do not allow untrusted_app to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints.  As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and untrusted_app is allowed fork permission to itself.
-neverallow untrusted_app mlstrustedsubject:process fork;
-
-# Do not allow untrusted_app to hard link to any files.
-# In particular, if untrusted_app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure untrusted_app never has this
-# capability.
-neverallow untrusted_app file_type:file link;
-
-# Do not allow untrusted_app to access network MAC address file
-neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
-
-# Do not allow untrusted_app access to /cache
-neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };
-
-# Do not allow untrusted_app to set system properties.
-neverallow untrusted_app property_socket:sock_file write;
-neverallow untrusted_app property_type:property_service set;
-
-# Do not allow untrusted_app to create/unlink files outside of its sandbox,
-# internal storage or sdcard.
-# World accessible data locations allow application to fill the device
-# with unaccounted for data. This data will not get removed during
-# application un-installation.
-neverallow untrusted_app {
-  fs_type
-  -fuse                     # sdcard
-  file_type
-  -app_data_file            # The apps sandbox itself
-  -media_rw_data_file       # Internal storage. Known that apps can
-                            # leave artfacts here after uninstall.
-  userdebug_or_eng(`
-    -method_trace_data_file # only on ro.debuggable=1
-    -coredump_file          # userdebug/eng only
-  ')
-}:dir_file_class_set { create unlink };
-
-# Do not allow untrusted_app to directly open tun_device
-neverallow untrusted_app tun_device:chr_file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-neverallow untrusted_app anr_data_file:file ~{ open append };
-neverallow untrusted_app anr_data_file:dir ~search;
diff --git a/update_engine.te b/update_engine.te
deleted file mode 100644
index cf614e6..0000000
--- a/update_engine.te
+++ /dev/null
@@ -1,60 +0,0 @@
-# Domain for update_engine daemon.
-type update_engine, domain, domain_deprecated;
-type update_engine_exec, exec_type, file_type;
-type update_engine_data_file, file_type, data_file_type;
-
-init_daemon_domain(update_engine);
-net_domain(update_engine);
-
-# Following permissions are needed for update_engine.
-allow update_engine self:process { setsched };
-allow update_engine self:capability { fowner sys_admin };
-allow update_engine kmsg_device:chr_file w_file_perms;
-allow update_engine update_engine_exec:file rx_file_perms;
-wakelock_use(update_engine);
-
-# Ignore these denials.
-dontaudit update_engine kernel:process setsched;
-
-# Allow using persistent storage in /data/misc/update_engine.
-allow update_engine update_engine_data_file:dir { create_dir_perms };
-allow update_engine update_engine_data_file:file { create_file_perms };
-
-# Allow update_engine to reach block devices in /dev/block.
-allow update_engine block_device:dir search;
-
-# Allow read/write on system and boot partitions.
-allow update_engine boot_block_device:blk_file rw_file_perms;
-allow update_engine system_block_device:blk_file rw_file_perms;
-
-# Don't allow kernel module loading, just silence the logs.
-dontaudit update_engine kernel:system module_request;
-
-# Allow update_engine to mount on the /postinstall directory and reset the
-# labels on the mounted filesystem to postinstall_file.
-allow update_engine postinstall_mnt_dir:dir mounton;
-allow update_engine postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine labeledfs:filesystem relabelfrom;
-
-# Allow update_engine to read and execute postinstall_file.
-allow update_engine postinstall_file:file rx_file_perms;
-allow update_engine postinstall_file:lnk_file r_file_perms;
-allow update_engine postinstall_file:dir r_dir_perms;
-
-# The postinstall program is run by update_engine and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
-domain_auto_trans(update_engine, postinstall_file, postinstall)
-
-# A postinstall program is typically a shell script (with a #!), so we allow
-# to execute those.
-allow update_engine shell_exec:file rx_file_perms;
-
-# Register the service to perform Binder IPC.
-binder_use(update_engine)
-allow update_engine update_engine_service:service_manager { add };
-
-# Allow update_engine to call the callback function provided by priv_app.
-binder_call(update_engine, priv_app)
-
-# Allow read/write bootctrl block device.
-allow update_engine bootctrl_block_device:blk_file rw_file_perms;
diff --git a/update_verifier.te b/update_verifier.te
deleted file mode 100644
index 42567fe..0000000
--- a/update_verifier.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# update_verifier
-type update_verifier, domain;
-type update_verifier_exec, exec_type, file_type;
-
-init_daemon_domain(update_verifier)
-
-# Raw writes to bootctrl block device
-allow update_verifier bootctrl_block_device:blk_file rw_file_perms;
-
-# TODO: Add rules to allow update_verifier to read system_block_device.
diff --git a/users b/users
deleted file mode 100644
index 51b7b57..0000000
--- a/users
+++ /dev/null
@@ -1 +0,0 @@
-user u roles { r } level s0 range s0 - mls_systemhigh;
diff --git a/vdc.te b/vdc.te
deleted file mode 100644
index 5478965..0000000
--- a/vdc.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# vdc spawned from init for the following services:
-#  defaultcrypto
-#  encrypt
-#
-# We also transition into this domain from dumpstate, when
-# collecting bug reports.
-
-type vdc, domain, domain_deprecated;
-type vdc_exec, exec_type, file_type;
-
-init_daemon_domain(vdc)
-
-unix_socket_connect(vdc, vold, vold)
-
-# vdc sends information back to dumpstate when "adb bugreport" is used
-allow vdc dumpstate:fd use;
-allow vdc dumpstate:unix_stream_socket { read write getattr };
-
-# vdc information is written to shell owned bugreport files
-allow vdc shell_data_file:file { write getattr };
-
-# Why?
-allow vdc dumpstate:unix_dgram_socket { read write };
diff --git a/vold.te b/vold.te
deleted file mode 100644
index 737037d..0000000
--- a/vold.te
+++ /dev/null
@@ -1,193 +0,0 @@
-# volume manager
-type vold, domain, domain_deprecated;
-type vold_exec, exec_type, file_type;
-
-init_daemon_domain(vold)
-
-# Switch to more restrictive domains when executing common tools
-domain_auto_trans(vold, sgdisk_exec, sgdisk);
-domain_auto_trans(vold, sdcardd_exec, sdcardd);
-
-# Read already opened /cache files.
-allow vold cache_file:dir r_dir_perms;
-allow vold cache_file:file { getattr read };
-allow vold cache_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(vold, proc)
-r_dir_file(vold, proc_net)
-r_dir_file(vold, sysfs)
-r_dir_file(vold, rootfs)
-
-# For a handful of probing tools, we choose an even more restrictive
-# domain when working with untrusted block devices
-domain_trans(vold, shell_exec, blkid);
-domain_trans(vold, shell_exec, blkid_untrusted);
-domain_trans(vold, fsck_exec, fsck);
-domain_trans(vold, fsck_exec, fsck_untrusted);
-
-# Allow us to jump into execution domains of above tools
-allow vold self:process setexec;
-
-# For sgdisk launched through popen()
-allow vold shell_exec:file rx_file_perms;
-
-typeattribute vold mlstrustedsubject;
-allow vold self:process setfscreate;
-allow vold system_file:file x_file_perms;
-allow vold block_device:dir create_dir_perms;
-allow vold device:dir write;
-allow vold devpts:chr_file rw_file_perms;
-allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton; # TODO: deprecated in M
-allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
-allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
-allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
-
-# Manage locations where storage is mounted
-allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
-allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
-
-# Access to storage that backs emulated FUSE daemons for migration optimization
-allow vold media_rw_data_file:dir create_dir_perms;
-allow vold media_rw_data_file:file create_file_perms;
-
-# Newly created storage dirs are always treated as mount stubs to prevent us
-# from accidentally writing when the mount point isn't present.
-type_transition vold storage_file:dir storage_stub_file;
-type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
-
-# Allow mounting of storage devices
-allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
-allow vold sdcard_type:filesystem { mount unmount remount };
-
-# Manage per-user primary symlinks
-allow vold mnt_user_file:dir create_dir_perms;
-allow vold mnt_user_file:lnk_file create_file_perms;
-
-# Allow to create and mount expanded storage
-allow vold mnt_expand_file:dir { create_dir_perms mounton };
-allow vold apk_data_file:dir { create getattr setattr };
-allow vold shell_data_file:dir { create getattr setattr };
-
-allow vold tmpfs:filesystem { mount unmount };
-allow vold tmpfs:dir create_dir_perms;
-allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket create_socket_perms;
-allow vold app_data_file:dir search;
-allow vold app_data_file:file rw_file_perms;
-allow vold loop_device:blk_file create_file_perms;
-allow vold vold_device:blk_file create_file_perms;
-allow vold dm_device:chr_file rw_file_perms;
-allow vold dm_device:blk_file rw_file_perms;
-# For vold Process::killProcessesWithOpenFiles function.
-allow vold domain:dir r_dir_perms;
-allow vold domain:{ file lnk_file } r_file_perms;
-allow vold domain:process { signal sigkill };
-allow vold self:capability { sys_ptrace kill };
-
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
-
-allow vold kmsg_device:chr_file rw_file_perms;
-
-# Run fsck in the fsck domain.
-allow vold fsck_exec:file { r_file_perms execute };
-
-# Log fsck results
-allow vold fscklogs:dir rw_dir_perms;
-allow vold fscklogs:file create_file_perms;
-
-#
-# Rules to support encrypted fs support.
-#
-
-# Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount remount };
-
-# Access /efs/userdata_footer.
-# XXX Split into a separate type?
-allow vold efs_file:file rw_file_perms;
-
-# Create and mount on /data/tmp_mnt and management of expansion mounts
-allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
-
-# Set scheduling policy of kernel processes
-allow vold kernel:process setsched;
-
-# Property Service
-set_prop(vold, vold_prop)
-set_prop(vold, powerctl_prop)
-set_prop(vold, ctl_fuse_prop)
-set_prop(vold, restorecon_prop)
-
-# ASEC
-allow vold asec_image_file:file create_file_perms;
-allow vold asec_image_file:dir rw_dir_perms;
-allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
-allow vold asec_public_file:dir { relabelto setattr };
-allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
-allow vold asec_public_file:file { relabelto setattr };
-# restorecon files in asec containers created on 4.2 or earlier.
-allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
-allow vold unlabeled:file { r_file_perms setattr relabelfrom };
-
-# Handle wake locks (used for device encryption)
-wakelock_use(vold)
-
-# talk to batteryservice
-binder_use(vold)
-binder_call(vold, healthd)
-
-# talk to keymaster
-allow vold tee_device:chr_file rw_file_perms;
-
-# Access userdata block device.
-allow vold userdata_block_device:blk_file rw_file_perms;
-
-# Access metadata block device used for encryption meta-data.
-allow vold metadata_block_device:blk_file rw_file_perms;
-
-# Allow vold to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file } create_file_perms;
-allow vold unencrypted_data_file:dir create_dir_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow vold proc_drop_caches:file w_file_perms;
-
-# Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir create_dir_perms;
-allow vold vold_data_file:file create_file_perms;
-
-# linux keyring configuration
-allow vold init:key { write search setattr };
-allow vold vold:key { write search setattr };
-
-# vold temporarily changes its priority when running benchmarks
-allow vold self:capability sys_nice;
-
-# vold needs to chroot into app namespaces to remount when runtime permissions change
-allow vold self:capability sys_chroot;
-allow vold storage_file:dir mounton;
-
-# For AppFuse.
-allow vold fuse_device:chr_file rw_file_perms;
-allow vold fuse:filesystem { relabelfrom };
-allow vold app_fusefs:filesystem { relabelfrom relabelto };
-allow vold app_fusefs:filesystem { mount unmount };
-
-# coldboot of /sys/block
-allow vold sysfs_zram:dir r_dir_perms;
-allow vold sysfs_zram_uevent:file rw_file_perms;
-
-# MoveTask.cpp executes cp and rm
-allow vold toolbox_exec:file rx_file_perms;
-
-neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -vold -init } vold_data_file:dir *;
-neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
-neverallow { domain -vold -init } restorecon_prop:property_service set;
-
-neverallow vold fsck_exec:file execute_no_trans;
diff --git a/watchdogd.te b/watchdogd.te
deleted file mode 100644
index 00292a9..0000000
--- a/watchdogd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# watchdogd seclabel is specified in init.<board>.rc
-type watchdogd, domain;
-allow watchdogd watchdog_device:chr_file rw_file_perms;
-allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/wpa.te b/wpa.te
deleted file mode 100644
index 46d975b..0000000
--- a/wpa.te
+++ /dev/null
@@ -1,48 +0,0 @@
-# wpa - wpa supplicant or equivalent
-type wpa, domain, domain_deprecated;
-type wpa_exec, exec_type, file_type;
-
-init_daemon_domain(wpa)
-
-net_domain(wpa)
-
-allow wpa kernel:system module_request;
-allow wpa self:capability { setuid net_admin setgid net_raw };
-allow wpa cgroup:dir create_dir_perms;
-allow wpa self:netlink_route_socket nlmsg_write;
-allow wpa self:netlink_socket create_socket_perms;
-allow wpa self:netlink_generic_socket create_socket_perms;
-allow wpa self:packet_socket create_socket_perms;
-allow wpa wifi_data_file:dir create_dir_perms;
-allow wpa wifi_data_file:file create_file_perms;
-unix_socket_send(wpa, system_wpa, system_server)
-
-binder_use(wpa)
-
-# Create a socket for receiving info from wpa
-type_transition wpa wifi_data_file:dir wpa_socket "sockets";
-allow wpa wpa_socket:dir create_dir_perms;
-allow wpa wpa_socket:sock_file create_file_perms;
-
-use_keystore(wpa)
-
-# WPA (wifi) has a restricted set of permissions from the default.
-allow wpa keystore:keystore_key {
-	get
-	sign
-	verify
-};
-
-# Allow wpa_cli to work. wpa_cli creates a socket in
-# /data/misc/wifi/sockets which wpa supplicant communicates with.
-userdebug_or_eng(`
-  unix_socket_send(wpa, wpa, su)
-')
-
-###
-### neverallow rules
-###
-
-# wpa_supplicant should not trust any data from sdcards
-neverallow wpa sdcard_type:dir ~getattr;
-neverallow wpa sdcard_type:file *;
diff --git a/zygote.te b/zygote.te
deleted file mode 100644
index e1be061..0000000
--- a/zygote.te
+++ /dev/null
@@ -1,97 +0,0 @@
-# zygote
-type zygote, domain, domain_deprecated;
-type zygote_exec, exec_type, file_type;
-
-init_daemon_domain(zygote)
-typeattribute zygote mlstrustedsubject;
-# Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid fowner chown };
-# Drop capabilities from bounding set.
-allow zygote self:capability setpcap;
-# Switch SELinux context to app domains.
-allow zygote self:process setcurrent;
-allow zygote system_server:process dyntransition;
-allow zygote appdomain:process dyntransition;
-# Allow zygote to read app /proc/pid dirs (b/10455872)
-allow zygote appdomain:dir { getattr search };
-allow zygote appdomain:file { r_file_perms };
-# Move children into the peer process group.
-allow zygote system_server:process { getpgid setpgid };
-allow zygote appdomain:process { getpgid setpgid };
-# Read system data.
-allow zygote system_data_file:dir r_dir_perms;
-allow zygote system_data_file:file r_file_perms;
-# Write to /data/dalvik-cache.
-allow zygote dalvikcache_data_file:dir create_dir_perms;
-allow zygote dalvikcache_data_file:file create_file_perms;
-# Create symlinks in /data/dalvik-cache
-allow zygote dalvikcache_data_file:lnk_file create_file_perms;
-# Write to /data/resource-cache
-allow zygote resourcecache_data_file:dir rw_dir_perms;
-allow zygote resourcecache_data_file:file create_file_perms;
-# For art.
-allow zygote dalvikcache_data_file:file execute;
-# Execute idmap and dex2oat within zygote's own domain.
-# TODO:  Should either of these be transitioned to the same domain
-# used by installd or stay in-domain for zygote?
-allow zygote idmap_exec:file rx_file_perms;
-allow zygote dex2oat_exec:file rx_file_perms;
-# Control cgroups.
-allow zygote cgroup:dir create_dir_perms;
-allow zygote self:capability sys_admin;
-# Check validity of SELinux context before use.
-selinux_check_context(zygote)
-# Check SELinux permissions.
-selinux_check_access(zygote)
-
-# Native bridge functionality requires that zygote replaces
-# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
-allow zygote proc_cpuinfo:file mounton;
-
-# Allow remounting rootfs as MS_SLAVE
-allow zygote rootfs:dir mounton;
-allow zygote tmpfs:filesystem { mount unmount };
-allow zygote fuse:filesystem { unmount };
-
-# Allowed to create user-specific storage source if started before vold
-allow zygote mnt_user_file:dir create_dir_perms;
-allow zygote mnt_user_file:lnk_file create_file_perms;
-# Allowed to mount user-specific storage into place
-allow zygote storage_file:dir { search mounton };
-
-# Handle --invoke-with command when launching Zygote with a wrapper command.
-allow zygote zygote_exec:file rx_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net)
-
-# Root fs.
-allow zygote rootfs:file r_file_perms;
-
-# System file accesses.
-allow zygote system_file:dir r_dir_perms;
-allow zygote system_file:file r_file_perms;
-
-userdebug_or_eng(`
-  # Allow zygote to create and write method traces in /data/misc/trace.
-  allow zygote method_trace_data_file:dir w_dir_perms;
-  allow zygote method_trace_data_file:file { create w_file_perms };
-')
-
-###
-### neverallow rules
-###
-
-# Ensure that all types assigned to app processes are included
-# in the appdomain attribute, so that all allow and neverallow rules
-# written on appdomain are applied to all app processes.
-# This is achieved by ensuring that it is impossible for zygote to
-# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server.
-neverallow zygote ~{ appdomain system_server }:process dyntransition;
-
-# Zygote should never execute anything from /data except for /data/dalvik-cache files.
-neverallow zygote {
-  data_file_type
-  -dalvikcache_data_file # map PROT_EXEC
-}:file no_x_file_perms;