selinux: ignore denial from vold opening /proc/irq

In commit 66270a21df1058434e4d63691221f11ff5387a0f vold goes through each dir in /proc/ and opens for reading to gather information about each running process. /proc/irq is not a process and vold does not need access. Ignore the denial. Bug: 21591724 Change-Id: I32847a87bbea3ddb373d8bedaf2743a5ce2e98ff
author: Jeff Vander Stoep <jeffv@google.com> 2015-07-29 12:59:08 -0700
committer: Jeff Vander Stoep <jeffv@google.com> 2015-07-29 14:27:55 -0700
commit: a38a399afd0c7d2cefce426b35bb4655aee62633 (patch)
tree: 8aecac11df60358ea7271dda7a4e36dde6134a71 /sepolicy/vold.te
parent: 447f98b80ae1df0d5176c809f0a42d0699e87795 (diff)
download: bullhead-a38a399afd0c7d2cefce426b35bb4655aee62633.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index 66bca28..e98a36c 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -1 +1,6 @@
-permissive vold;
+# vold goes through /proc and opens each dir as O_RDONLY
+# to gather information about all PIDS.
+# It does not need access to /proc/irq which is labeled as
+# proc_irq on bullhead
+# See system/vold commit 66270a21df1058434e4d63691221f11ff5387a0f
+dontaudit vold proc_irq:dir { read open };
author	Jeff Vander Stoep <jeffv@google.com>	2015-07-29 12:59:08 -0700
committer	Jeff Vander Stoep <jeffv@google.com>	2015-07-29 14:27:55 -0700
commit	a38a399afd0c7d2cefce426b35bb4655aee62633 (patch)
tree	8aecac11df60358ea7271dda7a4e36dde6134a71 /sepolicy/vold.te
parent	447f98b80ae1df0d5176c809f0a42d0699e87795 (diff)
download	bullhead-a38a399afd0c7d2cefce426b35bb4655aee62633.tar.gz