From 8d200817d45e3e64d813f6bdc06e6e54ffe2e27d Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 2 Apr 2015 15:36:51 -0700
Subject: [PATCH] netd dontaudit fsetid

For the reasons explained in the pre-existing code, we don't want
to grant fsetid to netd, nor do we want denial messages to be
generated.

Change-Id: I34dcea81acd25b4eddc46bb54ea0d828b33c5fdc
---
 netd.te | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/netd.te b/netd.te
index 5f4f38cb7..f84b45279 100644
--- a/netd.te
+++ b/netd.te
@@ -11,9 +11,8 @@ allow netd self:capability { net_admin net_raw kill };
 # than one of the groups assigned to the current process to see if
 # the setgid bit should be cleared, regardless of whether the setgid
 # bit was even set.  We do not appear to truly need this capability
-# for netd to operate.  Uncomment the dontaudit rule below after
-# sufficient testing of the fsetid removal.
-# dontaudit netd self:capability fsetid;
+# for netd to operate.
+dontaudit netd self:capability fsetid;
 
 allow netd self:netlink_kobject_uevent_socket create_socket_perms;
 allow netd self:netlink_route_socket nlmsg_write;
-- 
GitLab