Fix an untracked selinux denial Aconfigd needs to scan all files and dirs under /apex (apex mount dir) to find all the mainline modules. It does that by read dir, then check if each entry is a dir, if it is a dir and then check if it has storage files. Due to this, it needs to get attributes of all files directly under /apex. This caused untracked selinux denial when aconfigd tries to access apex info file which is directly under /apex. Given that we don't really need this permission, add the dontaudit rule. Bug: b/381889824 Change-Id: Idb744823ede2e55d0963ad0611ef409eca6b9790

commit: 2d3643ac78a1b22e17649e366c821fea4b0cbe6f [log] [tgz]
author: Dennis Shen <dzshen@google.com> Mon Dec 02 19:46:43 2024 +0000
committer: Dennis Shen <dzshen@google.com> Tue Dec 03 18:11:31 2024 +0000
tree: b13deb533aae27be890e3bbb61a8e168223c199b
parent: e7cd0eb225f50e61a92202c300839df7da88fa8e [diff]
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 5ee967d..15ce3cc 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te

@@ -33,6 +33,7 @@
 # allow aconfigd to read /apex dir
 allow aconfigd apex_mnt_dir:dir r_dir_perms;
 allow aconfigd apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd apex_info_file:file r_file_perms;
 
 ###
 ### Neverallow assertions
commit	2d3643ac78a1b22e17649e366c821fea4b0cbe6f	[log] [tgz]
author	Dennis Shen <dzshen@google.com>	Mon Dec 02 19:46:43 2024 +0000
committer	Dennis Shen <dzshen@google.com>	Tue Dec 03 18:11:31 2024 +0000
tree	b13deb533aae27be890e3bbb61a8e168223c199b
parent	e7cd0eb225f50e61a92202c300839df7da88fa8e [diff]