Add more sepolicy for cgroup/cpusets
After enabling cgroup/cpusets in the cuttlefish kernel, these new
denials have popped up. Fix them.
Bug: 128336318
Change-Id: I0dfebebea518261659824c595ea9609c954d64ad
Merged-In: I0dfebebea518261659824c595ea9609c954d64ad
diff --git a/shared/sepolicy/bug_map b/shared/sepolicy/bug_map
index 1adf764..74341aa 100644
--- a/shared/sepolicy/bug_map
+++ b/shared/sepolicy/bug_map
@@ -3,6 +3,7 @@
kernel device blk_file 130468851
kernel kernel system 130424539
lmkd device file 128336318
+logpersist logpersist capability 132911257
netd device file 128336318
shell adbd vsock_socket 131904985
storaged device file 128336318
diff --git a/shared/sepolicy/gceservice.te b/shared/sepolicy/gceservice.te
index 4881309..b6f84be 100644
--- a/shared/sepolicy/gceservice.te
+++ b/shared/sepolicy/gceservice.te
@@ -24,3 +24,6 @@
# started before Android init and thus before SELinux rule are applied.
# TODO(b/65049764): Update once GCE metadata proxy is moved outside of the emulator or gets labelled
allow gceservice kernel:unix_stream_socket connectto;
+
+# gceservice writes to /dev/stune/foreground/tasks
+allow gceservice cgroup:file w_file_perms;