From 036ef1ebc23b6a2d05317f397125f598c042fe52 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Mon, 16 Oct 2017 15:01:45 -0700
Subject: [PATCH] Remove obdm_app access to proc label.

Instead give obdm_app read access to /proc/stat.

Bug: 65643247
Test: can login to obdm app without selinux denials

Change-Id: I368c018f883610364cd026da68085935aefd69c1
---
 sepolicy/verizon/obdm_app.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sepolicy/verizon/obdm_app.te b/sepolicy/verizon/obdm_app.te
index c8abf8b0..f24baad7 100644
--- a/sepolicy/verizon/obdm_app.te
+++ b/sepolicy/verizon/obdm_app.te
@@ -3,7 +3,7 @@ type obdm_app, domain, coredomain;
 app_domain(obdm_app)
 net_domain(obdm_app)
 
-r_dir_file(obdm_app, proc)
+allow obdm_app proc_stat:file r_file_perms;
 
 # talk to /dev/diag
 allow obdm_app diag_device:chr_file rw_file_perms;