Policy for using Apex sepolicy Bug: 199914227 Test: aosp/1910032 Change-Id: I0726facbf0c28c486ef6501718a6013a040e4b0e

commit: bc0fa66cbe51fbd2c6ee19c3a42611c6a66e624f [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Fri Dec 03 15:21:54 2021 +0100
committer: Jeff Vander Stoep <jeffv@google.com> Tue Dec 14 13:54:03 2021 +0100
tree: b355914692710e9f1807b372339b08a5a37c504d
parent: 5ca82c1645ab7aaf2dfa40ebcff06975ec3c3dd3 [diff] [blame]
diff --git a/private/kernel.te b/private/kernel.te
index 5341163..6775b3b 100644
--- a/private/kernel.te
+++ b/private/kernel.te

@@ -31,3 +31,19 @@
 
 allow kernel kmsg_device:chr_file write;
 allow kernel gsid:fd use;
+
+# Some contexts are changed before the device is flipped into enforcing mode
+# during the setup of Apex sepolicy. These denials can be suppressed since
+# the permissions should not be allowed after the device is flipped into
+# enforcing mode.
+dontaudit kernel device:dir { open read relabelto };
+dontaudit kernel tmpfs:file { getattr open read relabelfrom };
+dontaudit kernel {
+  file_contexts_file
+  hwservice_contexts_file
+  mac_perms_file
+  property_contexts_file
+  seapp_contexts_file
+  sepolicy_test_file
+  service_contexts_file
+}:file relabelto;
commit	bc0fa66cbe51fbd2c6ee19c3a42611c6a66e624f	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Fri Dec 03 15:21:54 2021 +0100
committer	Jeff Vander Stoep <jeffv@google.com>	Tue Dec 14 13:54:03 2021 +0100
tree	b355914692710e9f1807b372339b08a5a37c504d
parent	5ca82c1645ab7aaf2dfa40ebcff06975ec3c3dd3 [diff] [blame]