Address auditallow spam from init

Init has access to a number of character devices inherited via domain.te. Exclude those character devices from the auditallow logging. In addition, init has access to a number of character devices explicitly listed in init.te. Exclude those from auditallow logging too. Addresses various auditallow spam, including: avc: granted { read open } for comm="init" path="/dev/urandom" dev="tmpfs" ino=1197 scontext=u:r:init:s0 tcontext=u:object_r:random_device:s0 tclass=chr_file avc: granted { read open } for comm="init" path="/dev/ptmx" dev="tmpfs" ino=1294 scontext=u:r:init:s0 tcontext=u:object_r:ptmx_device:s0 tclass=chr_file avc: granted { read } for comm="init" name="keychord" dev="tmpfs" ino=1326 scontext=u:r:init:s0 tcontext=u:object_r:keychord_device:s0 tclass=chr_file avc: granted { read open } for comm="init" path="/dev/keychord" dev="tmpfs" ino=1326 scontext=u:r:init:s0 tcontext=u:object_r:keychord_device:s0 tclass=chr_file and others not covered above. Bug: 35197529 Bug: 33347297 Test: policy compiles and no auditallow denials. Change-Id: Id869404a16c81c779943e9967eb32da226b6047e

Address auditallow spam from init
8b63356b · Nick Kralevich · fbd43f03 · 8b63356b
Commit 8b63356b authored 8 years ago by Nick Kralevich
--- a/public/init.te
+++ b/public/init.te
@@ -200,10 +200,24 @@ allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read
 allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
 auditallow init {
  dev_type
-  -kmem_device
-  -port_device
+  -alarm_device
+  -ashmem_device
+  -binder_device
+  -console_device
  -device
+  -devpts
+  -dm_device
+  -hwbinder_device
+  -hw_random_device
+  -keychord_device
+  -kmem_device
+  -kmsg_device
  -null_device
+  -owntty_device
+  -port_device
+  -ptmx_device
+  -random_device
+  -zero_device
 }:chr_file { read open };

 # chown/chmod on devices.