Do not audit the fsetid capability for update engine
There's a selinux denial for update_engine after go/aog/530462; the
denial is likely due to the setgid bit of the
update_engine_log_data_file.
Message:
11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
Bug: 69197466
Test: denial message gone on sailfish.
Change-Id: I0fdc285e4a4faa8dc37b4907484b3c79d4cc49cf
diff --git a/public/update_engine.te b/public/update_engine.te
index 9f9b557..fef5dec 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -12,6 +12,12 @@
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
allow update_engine self:capability { fowner sys_admin };
+# Note: fsetid checks are triggered when creating a file in a directory with
+# the setgid bit set to determine if the file should inherit setgid. In this
+# case, setgid on the file is undesirable so we should just suppress the
+# denial.
+dontaudit update_engine self:capability fsetid;
+
allow update_engine kmsg_device:chr_file w_file_perms;
allow update_engine update_engine_exec:file rx_file_perms;
wakelock_use(update_engine);