aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeff Vander Stoep2018-04-11 12:46:30 -0500
committerJeff Vander Stoep2018-04-11 14:19:46 -0500
commitf7a7f7d1382129b79cd5efce00554a4eeaab024e (patch)
tree6e5c8e2ef35420efcd68eb3bd84b48a2f6c492f2
parent12e73685b75905fa5afa62cd1fb3631f9f2af818 (diff)
downloadsystem-sepolicy-f7a7f7d1382129b79cd5efce00554a4eeaab024e.tar.gz
system-sepolicy-f7a7f7d1382129b79cd5efce00554a4eeaab024e.tar.xz
system-sepolicy-f7a7f7d1382129b79cd5efce00554a4eeaab024e.zip
Suppress spurious denial
Addresses: avc: denied { sys_resource } for comm="ip6tables" capability=24 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0 tclass=capability Bug: 77905989 Test: build and flash taimen-userdebug Change-Id: Ic5d7c96152b96b55255eeec00b19948f38c1923c (cherry picked from commit 443a43c98121363929f268b1f77bd229a3247d3a)
-rw-r--r--private/netutils_wrapper.te6
1 files changed, 6 insertions, 0 deletions
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index f56e8d86..ea58814e 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -33,3 +33,9 @@ domain_auto_trans({
33 -coredomain 33 -coredomain
34 -appdomain 34 -appdomain
35}, netutils_wrapper_exec, netutils_wrapper) 35}, netutils_wrapper_exec, netutils_wrapper)
36
37# suppress spurious denials
38dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
39
40# netutils wrapper may only use the following capabilities.
41neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };