Allow some denials we have seen.

This addresses the following denials:

avc: denied { module_request } for comm="dnsmasq" kmod="netdev-bt-pan" scontext=u:r:dnsmasq:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
avc: denied { module_request } for comm="allocator@2.0-s" kmod="crypto-heh(aes)" scontext=u:r:hal_graphics_allocator_default:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
avc: denied { module_request } for comm="android.hardwar" kmod="crypto-hmac(sha256)" scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
avc: denied { sigkill } for comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netutils_wrapper:s0 tclass=process permissive=0
avc: denied { sys_module } for comm="android.fg" capability=16 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability permissive=0
avc: denied { search } for comm="cnss-daemon" name="net" dev="sysfs" scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Test: Build.
Merged-In: I7e201147271a32ea8420406af221aa7678374d78
Change-Id: I7e201147271a32ea8420406af221aa7678374d78

sepolicy/vendor/dnsmasq.te

@@ -0,0 +1 @@
+dontaudit dnsmasq kernel:system module_request;

sepolicy/vendor/hal_graphics_allocator_default.te

@@ -0,0 +1 @@
+dontaudit hal_graphics_allocator_default kernel:system module_request;

sepolicy/vendor/hal_graphics_composer_default.te

@@ -34,3 +34,5 @@ userdebug_or_eng(`
         allow hal_graphics_composer_default diag_device:chr_file rw_file_perms;
 ')
 dontaudit hal_graphics_composer_default diag_device:chr_file rw_file_perms;
+
+dontaudit hal_graphics_composer_default kernel:system module_request;

sepolicy/vendor/netmgrd.te

@@ -35,6 +35,7 @@ wakelock_use(netmgrd)
 
 #Allow netutils usage
 domain_auto_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper)
+allow netmgrd netutils_wrapper:process sigkill;
 
 #Allow diag logging
 allow netmgrd sysfs_timestamp_switch:file { read open };

sepolicy/vendor/system_server.te

@@ -22,3 +22,5 @@ dontaudit system_server audioserver:file write;
 dontaudit system_server untrusted_app:file write;
 dontaudit system_server hal_audio_default:file write;
 dontaudit system_server appdomain:file write;
+
+dontaudit system_server self:capability sys_module;

sepolicy/vendor/wcnss_service.te

@@ -40,3 +40,5 @@ allow wcnss_service sysfs_soc:file r_file_perms;
 
 # request_firmware causes a denial for /firmware. It can be safely ignored
 dontaudit wcnss_service firmware_file:dir search;
+
+r_dir_file(wcnss_service, sysfs_net)