From f4ce8f6c06b5ecf0129ad420aa5b006b3475dcb8 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 7 Jun 2017 09:25:11 -0700
Subject: [PATCH] Remove dumpstate selinux spam from logs

Addresses:
avc: granted { read } for name="pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/sys/fs/pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file

Test: build policy
Change-Id: I7d8721c73c4f3c51b3885a97c697510e61d1221b
(cherry picked from commit f44002b37849f18a2d571738fa2789c618efd37f)
---
 public/domain_deprecated.te | 3 +++
 public/dumpstate.te         | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index f989ea1e7..4d1f2d0e3 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -159,6 +159,7 @@ allow domain_deprecated proc_meminfo:file r_file_perms;
 userdebug_or_eng(`
 auditallow {
   domain_deprecated
+  -dumpstate
   -fsck
   -fsck_untrusted
   -rild
@@ -169,6 +170,7 @@ auditallow {
 } proc:file r_file_perms;
 auditallow {
   domain_deprecated
+  -dumpstate
   -fsck
   -fsck_untrusted
   -rild
@@ -177,6 +179,7 @@ auditallow {
 } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
 auditallow {
   domain_deprecated
+  -dumpstate
   -fingerprintd
   -healthd
   -netd
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 66eaa1f2c..d8801ea3d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -136,8 +136,9 @@ read_logd(dumpstate)
 control_logd(dumpstate)
 read_runtime_log_tags(dumpstate)
 
-# Read /proc/net
+# Read /proc and /proc/net
 allow dumpstate proc_net:file r_file_perms;
+r_dir_file(dumpstate, proc)
 
 # Read network state info files.
 allow dumpstate net_data_file:dir search;
-- 
GitLab