Do not audit the fsetid capability for update engine

There's a selinux denial for update_engine after go/aog/530462; the
denial is likely due to the setgid bit of the
update_engine_log_data_file.
Message:
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0

Bug: 69197466
Test: denial message gone on sailfish.
Change-Id: I0fdc285e4a4faa8dc37b4907484b3c79d4cc49cf

public/update_engine.te

@@ -12,6 +12,12 @@ allow update_engine qtaguid_device:chr_file r_file_perms;
 # Following permissions are needed for update_engine.
 allow update_engine self:process { setsched };
 allow update_engine self:capability { fowner sys_admin };
+# Note: fsetid checks are triggered when creating a file in a directory with
+# the setgid bit set to determine if the file should inherit setgid. In this
+# case, setgid on the file is undesirable so we should just suppress the
+# denial.
+dontaudit update_engine self:capability fsetid;
+
 allow update_engine kmsg_device:chr_file w_file_perms;
 allow update_engine update_engine_exec:file rx_file_perms;
 wakelock_use(update_engine);