From e477c781d43b81d0a27cfb81cbe7ed41f6b0be68 Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Tue, 10 Apr 2018 10:46:45 -0700
Subject: [PATCH] Hide sys_rawio SELinux denials.

We often see the following denials:

avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0
avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0

These are benign, so we are hiding them.

Bug: 37778617
Test: Boot device.
Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a
(cherry picked from commit bf4afae14049bfe9be37aa72db958cbb6b609377)
---
 public/hal_bootctl.te   | 2 ++
 public/update_engine.te | 1 +
 2 files changed, 3 insertions(+)

diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 8b240b1ce..181de4a9c 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -4,3 +4,5 @@ binder_call(hal_bootctl_server, hal_bootctl_client)
 
 add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
 allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
+
+dontaudit hal_bootctl self:capability sys_rawio;
diff --git a/public/update_engine.te b/public/update_engine.te
index 6e97aa919..ca73c7e89 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -24,6 +24,7 @@ wakelock_use(update_engine);
 
 # Ignore these denials.
 dontaudit update_engine kernel:process setsched;
+dontaudit update_engine self:capability sys_rawio;
 
 # Allow using persistent storage in /data/misc/update_engine.
 allow update_engine update_engine_data_file:dir create_dir_perms;
-- 
GitLab