Add policy for /system/bin/auditctl

/system/bin/auditctl is executed by init to set the kernel audit
throttling rate limit. Grant the rules necessary for this to happen.

Test: compiles and boots
Test: Perform an operation which generates lots of SELinux denials,
      and count how many occur before and after the time period.
Bug: 118815957

(cherry picked from commit 622ab8a2ba)

Change-Id: Ie5b4852fa217462557fce192c764305893968454

private/auditctl.te

@@ -0,0 +1,18 @@
+#
+# /system/bin/auditctl executed for logd
+#
+# Performs maintenance of the kernel auditing system, including
+# setting rate limits on SELinux denials.
+#
+
+type auditctl, domain, coredomain;
+type auditctl_exec, file_type, system_file_type, exec_type;
+
+# Uncomment the line below to put this domain into permissive
+# mode. This helps speed SELinux policy development.
+# userdebug_or_eng(`permissive auditctl;')
+
+init_daemon_domain(auditctl)
+
+allow auditctl self:global_capability_class_set audit_control;
+allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };

private/file_contexts

@@ -182,6 +182,7 @@
 /system/lib(64)?(/.*)?		u:object_r:system_lib_file:s0
 /system/bin/atrace	u:object_r:atrace_exec:s0
 /system/bin/ashmemd	u:object_r:ashmemd_exec:s0
+/system/bin/auditctl	u:object_r:auditctl_exec:s0
 /system/bin/bcc                 u:object_r:rs_exec:s0
 /system/bin/blank_screen	u:object_r:blank_screen_exec:s0
 /system/bin/charger		u:object_r:charger_exec:s0