dexoptanalyzer: suppress access(2) denial A legitimate call to access(2) is generating a denial. Use the audit_access permission to suppress the denial on just the access() call. avc: denied { write } for name="verified_jars" scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir Bug: 62597207 Test: build policy Test: The following cmd succeeds but no longer generates a denial adb shell cmd package compile -r bg-dexopt --secondary-dex \ com.google.android.googlequicksearchbox Change-Id: I7d03df2754c24c039bce11426bf8f317232f5e5f (cherry picked from commit 575e6270813e4d701e824951920a359d16f0d054)

commit: 06aee357e4bffac591ccddf4e4404b6d7bfea74b [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Mon Jun 26 15:08:37 2017 -0700
committer: Jeff Vander Stoep <jeffv@google.com> Fri Jun 30 15:30:06 2017 -0700
tree: 344a2ec774950f8367036193e8230de9ba509886
parent: 2be9799bcc21863de48925b1eff55185be168696 [diff]
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index db81d0d..1c23f57 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te

@@ -21,6 +21,10 @@
 # package manager.
 allow dexoptanalyzer app_data_file:dir { getattr search };
 allow dexoptanalyzer app_data_file:file r_file_perms;
+# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
+# "dontaudit...audit_access" policy line to suppress the audit access without
+# suppressing denial on actual access.
+dontaudit dexoptanalyzer app_data_file:dir audit_access;
 
 # Allow testing /data/user/0 which symlinks to /data/data
 allow dexoptanalyzer system_data_file:lnk_file { getattr };
commit	06aee357e4bffac591ccddf4e4404b6d7bfea74b	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Mon Jun 26 15:08:37 2017 -0700
committer	Jeff Vander Stoep <jeffv@google.com>	Fri Jun 30 15:30:06 2017 -0700
tree	344a2ec774950f8367036193e8230de9ba509886
parent	2be9799bcc21863de48925b1eff55185be168696 [diff]