netutils_wrapper: suppress sysfs denials Addresses spurious denials caused by users of netutils_wrapper which open files in /sys without O_CLOEXEC. avc: denied { read } for comm="iptables-wrappe" dev="sysfs" ino=47786 scontext=u:r:netutils_wrapper:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file Test: build Change-Id: I1c1f82428555be6a9798a189420dd85a9db107f7

commit: c510da991843ea9c0400218b05d232ea3e8b9277 [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Fri Mar 29 14:29:42 2019 -0700
committer: Jeff Vander Stoep <jeffv@google.com> Fri Mar 29 14:29:42 2019 -0700
tree: 4ab04153480ee6e480a940106c9c88314f4b8c8b
parent: ac9cd71feda148fde182e57978e460d6de116847 [diff]
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index fc01999..a773f96 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te

@@ -36,6 +36,7 @@
 
 # suppress spurious denials
 dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
+dontaudit netutils_wrapper sysfs_type:file read;
 
 # netutils wrapper may only use the following capabilities.
 neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
commit	c510da991843ea9c0400218b05d232ea3e8b9277	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Fri Mar 29 14:29:42 2019 -0700
committer	Jeff Vander Stoep <jeffv@google.com>	Fri Mar 29 14:29:42 2019 -0700
tree	4ab04153480ee6e480a940106c9c88314f4b8c8b
parent	ac9cd71feda148fde182e57978e460d6de116847 [diff]