From dfa29865722c33fb4b855e0ff82dc58b85769e79 Mon Sep 17 00:00:00 2001
From: Richard Uhler <ruhler@google.com>
Date: Tue, 10 May 2016 13:59:19 -0700
Subject: [PATCH] dontaudit user_profile_foreign_dex_data_file open, read.

To avoid audit messages that arise because there is no way to create a
file without also trying to open and read it.

Bug: 28241500
Change-Id: Id1daaf190b36eda9775e00701cd7241991f65a2a
---
 app.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app.te b/app.te
index 56cecb52e..f2adf3719 100644
--- a/app.te
+++ b/app.te
@@ -127,6 +127,10 @@ allow appdomain user_profile_data_file:file create_file_perms;
 # Profiles for foreign dex files are just markers and only need create permissions.
 allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name };
 allow appdomain user_profile_foreign_dex_data_file:file create;
+# There is no way to create user_profile_foreign_dex_data_file without
+# generating open/read denials. These permissions should not be granted and the
+# denial is harmless. dontaudit to suppress the denial.
+dontaudit appdomain user_profile_foreign_dex_data_file:file { open read };
 
 # Send heap dumps to system_server via an already open file descriptor
 # % adb shell am set-watch-heap com.android.systemui 1048576
-- 
GitLab