From f7a7f7d1382129b79cd5efce00554a4eeaab024e Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 11 Apr 2018 10:46:30 -0700
Subject: [PATCH 1/2] Suppress spurious denial

Addresses:
avc: denied { sys_resource } for comm="ip6tables" capability=24
scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0
tclass=capability

Bug: 77905989
Test: build and flash taimen-userdebug
Change-Id: Ic5d7c96152b96b55255eeec00b19948f38c1923c
(cherry picked from commit 443a43c98121363929f268b1f77bd229a3247d3a)
---
 private/netutils_wrapper.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index f56e8d861..ea58814e1 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -33,3 +33,9 @@ domain_auto_trans({
     -coredomain
     -appdomain
 }, netutils_wrapper_exec, netutils_wrapper)
+
+# suppress spurious denials
+dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
+
+# netutils wrapper may only use the following capabilities.
+neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };

From 7e5ec2bc3d1d1b45471898f446f1ba1d66b7d046 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 11 Apr 2018 12:06:01 -0700
Subject: [PATCH 2/2] Suppress spurious denial

Addresses:
avc: denied { sys_resource } scontext=u:r:zygote:s0
tcontext=u:r:zygote:s0 tclass=capability

Bug: 77905989
Test: build and flash taimen-userdebug
Change-Id: If2413c3005df02a70661464d695211acbcda4094
(cherry picked from commit 816e744d998cb327fbd20f3124b22398bea2b8e4)
---
 private/zygote.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/private/zygote.te b/private/zygote.te
index 4ea401dce..0a1a7c6b9 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -114,6 +114,9 @@ allow zygote tmpfs:dir r_dir_perms;
 get_prop(zygote, overlay_prop)
 get_prop(zygote, exported_overlay_prop)
 
+# ingore spurious denials
+dontaudit zygote self:capability sys_resource;
+
 ###
 ### neverallow rules
 ###