Remove dumpstate selinux spam from logs
Addresses:
avc: granted { read } for name="pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/sys/fs/pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file
Test: build policy
Change-Id: I7d8721c73c4f3c51b3885a97c697510e61d1221b
(cherry picked from commit f44002b37849f18a2d571738fa2789c618efd37f)
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index f989ea1..4d1f2d0 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -159,6 +159,7 @@
userdebug_or_eng(`
auditallow {
domain_deprecated
+ -dumpstate
-fsck
-fsck_untrusted
-rild
@@ -169,6 +170,7 @@
} proc:file r_file_perms;
auditallow {
domain_deprecated
+ -dumpstate
-fsck
-fsck_untrusted
-rild
@@ -177,6 +179,7 @@
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
auditallow {
domain_deprecated
+ -dumpstate
-fingerprintd
-healthd
-netd
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 66eaa1f..d8801ea 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -136,8 +136,9 @@
control_logd(dumpstate)
read_runtime_log_tags(dumpstate)
-# Read /proc/net
+# Read /proc and /proc/net
allow dumpstate proc_net:file r_file_perms;
+r_dir_file(dumpstate, proc)
# Read network state info files.
allow dumpstate net_data_file:dir search;