Add more sepolicy for cgroup/cpusets

After enabling cgroup/cpusets in the cuttlefish kernel, these new
denials have popped up. Fix them.

Bug: 128336318
Change-Id: I0dfebebea518261659824c595ea9609c954d64ad
Merged-In: I0dfebebea518261659824c595ea9609c954d64ad

2 files changed, 4 insertions, 0 deletions

diff --git a/shared/sepolicy/bug_map b/shared/sepolicy/bug_map
index 1adf764b0..74341aa10 100644
--- a/shared/sepolicy/bug_map
+++ b/shared/sepolicy/bug_map
@@ -3,6 +3,7 @@ installd device file 128336318
 kernel device blk_file 130468851
 kernel kernel system 130424539
 lmkd device file 128336318
+logpersist logpersist capability 132911257
 netd device file 128336318
 shell adbd vsock_socket 131904985
 storaged device file 128336318
diff --git a/shared/sepolicy/gceservice.te b/shared/sepolicy/gceservice.te
index 488130943..b6f84be7c 100644
--- a/shared/sepolicy/gceservice.te
+++ b/shared/sepolicy/gceservice.te
@@ -24,3 +24,6 @@ allow gceservice tombstone_data_file:file getattr;
 # started before Android init and thus before SELinux rule are applied.
 # TODO(b/65049764): Update once GCE metadata proxy is moved outside of the emulator or gets labelled
 allow gceservice kernel:unix_stream_socket connectto;
+
+# gceservice writes to /dev/stune/foreground/tasks
+allow gceservice cgroup:file w_file_perms;