domain_deprecated.te: Exclude recovery from auditallow for /cache/recovery

Recovery uses /cache/recovery. Exclude it from auditallow coverage. Addresses the following SELinux log spam: avc: granted { search } for pid=323 comm="recovery" name="recovery" dev="mmcblk0p38" ino=12 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir avc: granted { read } for pid=323 comm="recovery" name="block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file avc: granted { getattr } for pid=323 comm="recovery" path="/cache/recovery/block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file Change-Id: Ib6c7b44ac23fccaf2ea506429fb760ee85e87c76

domain_deprecated.te: Exclude recovery from auditallow for /cache/recovery
Recovery uses /cache/recovery. Exclude it from auditallow coverage. Addresses the following SELinux log spam: avc: granted { search } for pid=323 comm="recovery" name="recovery" dev="mmcblk0p38" ino=12 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir avc: granted { read } for pid=323 comm="recovery" name="block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file avc: granted { getattr } for pid=323 comm="recovery" path="/cache/recovery/block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file Change-Id: Ib6c7b44ac23fccaf2ea506429fb760ee85e87c76
829a7493 · Nick Kralevich · 956ca4c5 · 829a7493
Commit 829a7493 authored 9 years ago by Nick Kralevich
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -54,8 +54,8 @@ allow domain_deprecated { cache_file cache_recovery_file }:file { getattr read }
 allow domain_deprecated { cache_file cache_recovery_file }:lnk_file r_file_perms;
 # Likely not needed. auditallow to be sure
-auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:dir r_dir_perms;
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt -recovery } cache_recovery_file:dir r_dir_perms;
-auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:file { getattr read };
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt -recovery } cache_recovery_file:file { getattr read };
 auditallow domain_deprecated cache_recovery_file:lnk_file r_file_perms;
 # For /acct/uid/*/tasks.