From c510da991843ea9c0400218b05d232ea3e8b9277 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 29 Mar 2019 14:29:42 -0700
Subject: [PATCH] netutils_wrapper: suppress sysfs denials

Addresses spurious denials caused by users of netutils_wrapper which
open files in /sys without O_CLOEXEC.
avc: denied { read } for comm="iptables-wrappe"
dev="sysfs" ino=47786 scontext=u:r:netutils_wrapper:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

Test: build
Change-Id: I1c1f82428555be6a9798a189420dd85a9db107f7
---
 private/netutils_wrapper.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index fc01999c9..a773f96f9 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -36,6 +36,7 @@ domain_auto_trans({
 
 # suppress spurious denials
 dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
+dontaudit netutils_wrapper sysfs_type:file read;
 
 # netutils wrapper may only use the following capabilities.
 neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };