Suppress harmless denial Commit 2d736569e716b5c143f296ae124bcfed9630a4d2 improved the logging in virtualization service by attempting to get the real path from /proc/self/fd/N for various files. However, CompOS stores its log files in a directory (/data/misc/apexdata/...) which VS has no access to, triggering an SELinux denial: avc: denied { search } for name="apexdata" scontext=u:r:virtualizationmanager:s0 tcontext=u:object_r:apex_module_data_file:s0 tclass=dir Suppress this denial, since it causes no harm (we just don't log the real path). Bug: 264496291 Bug: 251751405 Test: composd_cmd test-compile; see no denials Change-Id: Ia55e593c0c0735b8f3085a964f0c789c177375f2

commit: c5b914670fa25038fed5dabf10a8929a0c8ef62d [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Thu Jan 05 14:03:13 2023 +0000
committer: Alan Stokes <alanstokes@google.com> Mon Jan 09 11:34:52 2023 +0000
tree: f5345264690951e861777d62df1e52fa47bc79eb
parent: d03656b2815ccbc1d7d60ed30e73598ae88bd896 [diff] [blame]
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index b27f363..4cd32b7 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te

@@ -71,3 +71,7 @@
 
 # Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
 r_dir_file(virtualizationmanager, crosvm);
+
+# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
+# a harmless denial for CompOS log files, so ignore that.
+dontaudit virtualizationmanager apex_module_data_file:dir search;
commit	c5b914670fa25038fed5dabf10a8929a0c8ef62d	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Thu Jan 05 14:03:13 2023 +0000
committer	Alan Stokes <alanstokes@google.com>	Mon Jan 09 11:34:52 2023 +0000
tree	f5345264690951e861777d62df1e52fa47bc79eb
parent	d03656b2815ccbc1d7d60ed30e73598ae88bd896 [diff] [blame]