commit bc8dc3aa9d03598fc69df3e0b3990cddcf807616
author Tri Vo <trong@google.com> Sun May 26 13:17:08 2019 -0700
committer Tri Vo <trong@google.com> Sun May 26 14:19:26 2019 -0700
tree 68f796377c8252d188bca113981996217ed28eb3
parent b693197a34902c7d92006b2173a69d9620ee3e9f

DO NOT MERGE Fake 29.0 sepolicy prebuilts

I took current AOSP policy as base, then removed sepolicy so that the
set of type and attributes was a subset of types and attributes in Q
sepolicy, with exception of those that have not yet been cleand up in
current AOSP:

mediaswcodec_server
netd_socket
mediaextractor_update_service
thermalserviced
thermalserviced_exec

Bug: 133196056
Test: n/a
Change-Id: I2cbe749777684146114c89e1e6fc3f07400c0ae5

prebuilts/api/29.0/private/auditctl.te

diff --git a/prebuilts/api/29.0/private/auditctl.te b/prebuilts/api/29.0/private/auditctl.te
new file mode 100644
index 0000000..f634d3d
--- /dev/null
+++ b/prebuilts/api/29.0/private/auditctl.te
@@ -0,0 +1,18 @@
+#
+# /system/bin/auditctl executed for logd
+#
+# Performs maintenance of the kernel auditing system, including
+# setting rate limits on SELinux denials.
+#
+
+type auditctl, domain, coredomain;
+type auditctl_exec, file_type, system_file_type, exec_type;
+
+# Uncomment the line below to put this domain into permissive
+# mode. This helps speed SELinux policy development.
+# userdebug_or_eng(`permissive auditctl;')
+
+init_daemon_domain(auditctl)
+
+allow auditctl self:global_capability_class_set audit_control;
+allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };