From fc2838719b2042174dd04ca0edec8b6e39f74bd3 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 12 Jul 2017 13:23:33 -0700
Subject: [PATCH] suppress logspam

avc: denied { search } for name="tmp" dev="sda13" ino=1867778
scontext=u:r:isolated_app:s0:c512,c768
tcontext=u:object_r:shell_data_file:s0 tclass=dir

avc: denied { getattr } for path="/mnt/expand" dev="tmpfs" ino=9850
scontext=u:r:webview_zygote:s0 tcontext=u:object_r:mnt_expand_file:s0
tclass=dir

Bug: 63631799
Test: build. Denial no longer appears in the logs
Change-Id: Ie8a297c73b0f0e9008a7bf24438ef5354bf893df
---
 private/isolated_app.te   | 4 ++++
 private/webview_zygote.te | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/private/isolated_app.te b/private/isolated_app.te
index ac9dc04ba..37935c395 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -46,6 +46,10 @@ allow isolated_app webview_zygote:unix_dgram_socket write;
 # Read system properties managed by webview_zygote.
 allow isolated_app webview_zygote_tmpfs:file read;
 
+# TODO (b/63631799) fix this access
+# suppress denials to /data/local/tmp
+dontaudit isolated_app shell_data_file:dir search;
+
 #####
 ##### Neverallow
 #####
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 501581abf..bb5cc81aa 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -43,6 +43,10 @@ allow webview_zygote system_server:process getpgid;
 # Interaction between the webview_zygote and its children.
 allow webview_zygote isolated_app:process setpgid;
 
+# TODO (b/63631799) fix this access
+# Suppress denials to storage. Webview zygote should not be accessing.
+dontaudit webview_zygote mnt_expand_file:dir getattr;
+
 # Get seapp_contexts
 allow webview_zygote seapp_contexts_file:file r_file_perms;
 # Check validity of SELinux context before use.
-- 
GitLab