Merge "dontaudit user_profile_foreign_dex_data_file open, read." into nyc-dev

commit: 8d19cabf4fddc78ba6b872f8ef9c7193e53fe946 [log] [tgz]
author: Richard Uhler <ruhler@google.com> Thu May 12 15:11:41 2016 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Thu May 12 15:11:41 2016 +0000
tree: df663f3020894d36ee3178db492c9f1f281bb970
parent: 1cfdb12a98eca625b82463eda79103f7aca7b406 [diff]
parent: dfa29865722c33fb4b855e0ff82dc58b85769e79 [diff]
diff --git a/app.te b/app.te
index 56cecb5..f2adf37 100644
--- a/app.te
+++ b/app.te

@@ -127,6 +127,10 @@
 # Profiles for foreign dex files are just markers and only need create permissions.
 allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name };
 allow appdomain user_profile_foreign_dex_data_file:file create;
+# There is no way to create user_profile_foreign_dex_data_file without
+# generating open/read denials. These permissions should not be granted and the
+# denial is harmless. dontaudit to suppress the denial.
+dontaudit appdomain user_profile_foreign_dex_data_file:file { open read };
 
 # Send heap dumps to system_server via an already open file descriptor
 # % adb shell am set-watch-heap com.android.systemui 1048576
commit	8d19cabf4fddc78ba6b872f8ef9c7193e53fe946	[log] [tgz]
author	Richard Uhler <ruhler@google.com>	Thu May 12 15:11:41 2016 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Thu May 12 15:11:41 2016 +0000
tree	df663f3020894d36ee3178db492c9f1f281bb970
parent	1cfdb12a98eca625b82463eda79103f7aca7b406 [diff]
parent	dfa29865722c33fb4b855e0ff82dc58b85769e79 [diff]