From 7a186b3fa80000acf0d7d2e9ad7d597433aebc82 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 19 May 2014 16:33:51 -0700
Subject: [PATCH] Suppress installd auditallow

installd is expected to be handling unlabeled apps. Don't
emit an audit rule when it occurs.

Change-Id: Ia173914ff4d1b8368a18f326494eda8173d30192
---
 domain.te | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/domain.te b/domain.te
index 0bd9ad08e..029d20a53 100644
--- a/domain.te
+++ b/domain.te
@@ -150,9 +150,11 @@ allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 #
 allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
-auditallow { domain -init } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-auditallow { domain -init -kernel } unlabeled:dir { create_dir_perms relabelfrom };
+auditallow { domain -init -installd } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+auditallow { domain -init -kernel -installd } unlabeled:dir { create_dir_perms relabelfrom };
 auditallow kernel unlabeled:dir ~search;
+auditallow installd unlabeled:dir ~{ getattr search relabelfrom };
+auditallow installd unlabeled:notdevfile_class_set ~{ getattr relabelfrom };
 
 ###
 ### neverallow rules
-- 
GitLab