platform_system_sepolicy/private/auditctl.te

#
# /system/bin/auditctl executed for logd
#
# Performs maintenance of the kernel auditing system, including
# setting rate limits on SELinux denials.
#

type auditctl, domain, coredomain;
type auditctl_exec, file_type, system_file_type, exec_type;

# Uncomment the line below to put this domain into permissive
# mode. This helps speed SELinux policy development.
# userdebug_or_eng(`permissive auditctl;')

init_daemon_domain(auditctl)

allow auditctl self:global_capability_class_set audit_control;
allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
Add policy for /system/bin/auditctl /system/bin/auditctl is executed by init to set the kernel audit throttling rate limit. Grant the rules necessary for this to happen. Test: compiles and boots Test: Perform an operation which generates lots of SELinux denials, and count how many occur before and after the time period. Bug: 118815957 Change-Id: Id9df65497d1172ab7c2e84ff6a43722f11c61620 2019-04-09 19:57:13 +02:00			`#`
			`# /system/bin/auditctl executed for logd`
			`#`
			`# Performs maintenance of the kernel auditing system, including`
			`# setting rate limits on SELinux denials.`
			`#`

			`type auditctl, domain, coredomain;`
			`type auditctl_exec, file_type, system_file_type, exec_type;`

			`# Uncomment the line below to put this domain into permissive`
			`# mode. This helps speed SELinux policy development.`
			# userdebug_or_eng(`permissive auditctl;')

			`init_daemon_domain(auditctl)`

			`allow auditctl self:global_capability_class_set audit_control;`
			`allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };`