file bugs for each avc error
Bug: 122999081
Test: boot to home with less avc error
Change-Id: I9052316b73a017e966e83e310fef83d1bb716fea
diff --git a/bonito-sepolicy.mk b/bonito-sepolicy.mk
index d824dac..f618b8a 100644
--- a/bonito-sepolicy.mk
+++ b/bonito-sepolicy.mk
@@ -6,3 +6,4 @@
BOARD_VENDOR_SEPOLICY_DIRS += device/google/bonito-sepolicy/vendor/qcom/sdm710
BOARD_VENDOR_SEPOLICY_DIRS += device/google/bonito-sepolicy/vendor/google
BOARD_VENDOR_SEPOLICY_DIRS += device/google/bonito-sepolicy/vendor/verizon
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/bonito-sepolicy/tracking_denials
diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te
new file mode 100644
index 0000000..01a1cb6
--- /dev/null
+++ b/tracking_denials/bootanim.te
@@ -0,0 +1,2 @@
+# b/149063530
+dontaudit bootanim sysfs_msm_subsys:dir search;
diff --git a/tracking_denials/dataservice_app.te b/tracking_denials/dataservice_app.te
new file mode 100644
index 0000000..172a2fc
--- /dev/null
+++ b/tracking_denials/dataservice_app.te
@@ -0,0 +1,2 @@
+# b/149063685
+dontaudit dataservice_app vendor_default_prop:file read;
diff --git a/tracking_denials/e2fs.te b/tracking_denials/e2fs.te
new file mode 100644
index 0000000..32cb35a
--- /dev/null
+++ b/tracking_denials/e2fs.te
@@ -0,0 +1,2 @@
+# b/149063531
+dontaudit e2fs tmpfs:lnk_file read;
diff --git a/tracking_denials/factory_ota_app.te b/tracking_denials/factory_ota_app.te
new file mode 100644
index 0000000..2f0d25c
--- /dev/null
+++ b/tracking_denials/factory_ota_app.te
@@ -0,0 +1,2 @@
+# b/149063707
+dontaudit factory_ota_app gpuservice:binder call;
diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te
new file mode 100644
index 0000000..6b7e70e
--- /dev/null
+++ b/tracking_denials/gmscore_app.te
@@ -0,0 +1,4 @@
+# b/149062700
+dontaudit gmscore_app mnt_vendor_file:dir search;
+dontaudit gmscore_app sysfs_msm_subsys:file read;
+dontaudit gmscore_app vendor_firmware_file:filesystem getattr;
diff --git a/tracking_denials/hal_bluetooth_default.te b/tracking_denials/hal_bluetooth_default.te
new file mode 100644
index 0000000..8df181f
--- /dev/null
+++ b/tracking_denials/hal_bluetooth_default.te
@@ -0,0 +1,2 @@
+# b/149063293
+dontaudit hal_bluetooth_default self:socket create;
diff --git a/tracking_denials/hal_graphics_allocator_default.te b/tracking_denials/hal_graphics_allocator_default.te
new file mode 100644
index 0000000..9126621
--- /dev/null
+++ b/tracking_denials/hal_graphics_allocator_default.te
@@ -0,0 +1,2 @@
+# b/149063351
+dontaudit hal_graphics_allocator_default sysfs_msm_subsys:dir search;
diff --git a/tracking_denials/init.te b/tracking_denials/init.te
new file mode 100644
index 0000000..ca9bb86
--- /dev/null
+++ b/tracking_denials/init.te
@@ -0,0 +1,3 @@
+# b/149063688
+dontaudit init persist_block_device:lnk_file relabelto;
+dontaudit init vendor_firmware_file:filesystem getattr;
diff --git a/tracking_denials/installd.te b/tracking_denials/installd.te
new file mode 100644
index 0000000..fbed6b8
--- /dev/null
+++ b/tracking_denials/installd.te
@@ -0,0 +1,2 @@
+# b/149063192
+dontaudit installd tmpfs:lnk_file read;
diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te
new file mode 100644
index 0000000..ca03843
--- /dev/null
+++ b/tracking_denials/platform_app.te
@@ -0,0 +1,3 @@
+# b/149063509
+dontaudit platform_app sysfs_msm_subsys:dir search;
+dontaudit platform_app vendor_default_prop:file read;
diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te
new file mode 100644
index 0000000..0bd4cdb
--- /dev/null
+++ b/tracking_denials/priv_app.te
@@ -0,0 +1,3 @@
+# b/149063676
+dontaudit priv_app sysfs_msm_subsys:file read;
+dontaudit priv_app vendor_default_prop:file read;
diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te
new file mode 100644
index 0000000..01fd8a8
--- /dev/null
+++ b/tracking_denials/surfaceflinger.te
@@ -0,0 +1,3 @@
+# b/149063577
+dontaudit surfaceflinger sysfs_msm_subsys:dir search;
+dontaudit surfaceflinger vendor_firmware_file:dir search;
diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te
new file mode 100644
index 0000000..314b681
--- /dev/null
+++ b/tracking_denials/system_app.te
@@ -0,0 +1,4 @@
+# b/149064421
+dontaudit system_app apk_verity_prop:file read;
+dontaudit system_app sysfs_msm_subsys:dir search;
+dontaudit system_app vendor_default_prop:file read;
diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te
new file mode 100644
index 0000000..92bdc7b
--- /dev/null
+++ b/tracking_denials/system_server.te
@@ -0,0 +1,2 @@
+# b/149064109
+dontaudit system_server sysfs_msm_subsys:file read;
diff --git a/tracking_denials/ueventd.te b/tracking_denials/ueventd.te
new file mode 100644
index 0000000..3eece05
--- /dev/null
+++ b/tracking_denials/ueventd.te
@@ -0,0 +1,2 @@
+# b/149064065
+dontaudit ueventd tmpfs:lnk_file read;
diff --git a/tracking_denials/untrusted_app_29.te b/tracking_denials/untrusted_app_29.te
new file mode 100644
index 0000000..be7b1fc
--- /dev/null
+++ b/tracking_denials/untrusted_app_29.te
@@ -0,0 +1,2 @@
+# b/149063229
+dontaudit untrusted_app_29 sysfs_msm_subsys:dir search;
