domain_deprecated.te: Exclude recovery from auditallow for /cache/recovery
Recovery uses /cache/recovery. Exclude it from auditallow coverage.
Addresses the following SELinux log spam:
avc: granted { search } for pid=323 comm="recovery" name="recovery" dev="mmcblk0p38" ino=12 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
avc: granted { read } for pid=323 comm="recovery" name="block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file
avc: granted { getattr } for pid=323 comm="recovery" path="/cache/recovery/block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file
Change-Id: Ib6c7b44ac23fccaf2ea506429fb760ee85e87c76
diff --git a/domain_deprecated.te b/domain_deprecated.te
index d9b8d6b..36f8d99 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -54,8 +54,8 @@
allow domain_deprecated { cache_file cache_recovery_file }:lnk_file r_file_perms;
# Likely not needed. auditallow to be sure
-auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:dir r_dir_perms;
-auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:file { getattr read };
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt -recovery } cache_recovery_file:dir r_dir_perms;
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt -recovery } cache_recovery_file:file { getattr read };
auditallow domain_deprecated cache_recovery_file:lnk_file r_file_perms;
# For /acct/uid/*/tasks.