From a63fd3aadb6464a314cabd18eb4ee78ea6161c50 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 27 Jun 2017 14:30:18 -0700
Subject: [PATCH] Clean up denials

avc: denied { search } for name="/" scontext=u:r:kernel:s0
tcontext=u:object_r:persist_file:s0 tclass=dir
avc: denied { search } for name="ipc_logging" dev="debugfs"
scontext=u:r:kernel:s0 tcontext=u:object_r:debugfs_ipc:s0
tclass=dir
avc: denied { sys_module } scontext=u:r:netd:s0
tcontext=u:r:netd:s0 tclass=capability

Bug: 35197529
Test: build, verify denials no longer occur.
Change-Id: Ibe18ca05f2d80343624d08116b83b5287239c01a
---
 sepolicy/vendor/kernel.te | 3 +++
 sepolicy/vendor/netd.te   | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te
index c5cbb8b3..23686463 100644
--- a/sepolicy/vendor/kernel.te
+++ b/sepolicy/vendor/kernel.te
@@ -9,3 +9,6 @@ allow kernel vendor_firmware_file:file r_file_perms;
 allow kernel vendor_firmware_file:lnk_file read;
 
 dontaudit kernel kernel:system module_request;
+
+allow kernel debugfs_ipc:dir search;
+allow kernel persist_file:dir search;
diff --git a/sepolicy/vendor/netd.te b/sepolicy/vendor/netd.te
index cc679185..b26f9751 100644
--- a/sepolicy/vendor/netd.te
+++ b/sepolicy/vendor/netd.te
@@ -1,4 +1,4 @@
 allow netd sysfs_net:file w_file_perms;
 
 dontaudit netd kernel:system module_request;
-dontaudit netd self:system module_request;
+dontaudit netd self:capability sys_module;