netd dontaudit fsetid

For the reasons explained in the pre-existing code, we don't want to grant fsetid to netd, nor do we want denial messages to be generated. Change-Id: I34dcea81acd25b4eddc46bb54ea0d828b33c5fdc
author: Nick Kralevich <nnk@google.com> 2015-04-02 15:36:51 -0700
committer: Nick Kralevich <nnk@google.com> 2015-04-02 15:36:51 -0700
commit: 8d200817d45e3e64d813f6bdc06e6e54ffe2e27d (patch)
tree: 669c2bdb0b29f87492b75e6d6f5b76b228841f19 /netd.te
parent: b62b2020b33eccdf4984900227a53e1cdc9f59dd (diff)
download: android_external_sepolicy-8d200817d45e3e64d813f6bdc06e6e54ffe2e27d.tar.gz
android_external_sepolicy-8d200817d45e3e64d813f6bdc06e6e54ffe2e27d.tar.bz2
android_external_sepolicy-8d200817d45e3e64d813f6bdc06e6e54ffe2e27d.zip
1 files changed, 2 insertions, 3 deletions
diff --git a/netd.te b/netd.te
index 5f4f38c..f84b452 100644
--- a/netd.te
+++ b/netd.te
@@ -11,9 +11,8 @@ allow netd self:capability { net_admin net_raw kill };
 # than one of the groups assigned to the current process to see if
 # the setgid bit should be cleared, regardless of whether the setgid
 # bit was even set.  We do not appear to truly need this capability
-# for netd to operate.  Uncomment the dontaudit rule below after
-# sufficient testing of the fsetid removal.
-# dontaudit netd self:capability fsetid;
+# for netd to operate.
+dontaudit netd self:capability fsetid;
 
 allow netd self:netlink_kobject_uevent_socket create_socket_perms;
 allow netd self:netlink_route_socket nlmsg_write;
author	Nick Kralevich <nnk@google.com>	2015-04-02 15:36:51 -0700
committer	Nick Kralevich <nnk@google.com>	2015-04-02 15:36:51 -0700
commit	8d200817d45e3e64d813f6bdc06e6e54ffe2e27d (patch)
tree	669c2bdb0b29f87492b75e6d6f5b76b228841f19 /netd.te
parent	b62b2020b33eccdf4984900227a53e1cdc9f59dd (diff)
download	android_external_sepolicy-8d200817d45e3e64d813f6bdc06e6e54ffe2e27d.tar.gz android_external_sepolicy-8d200817d45e3e64d813f6bdc06e6e54ffe2e27d.tar.bz2 android_external_sepolicy-8d200817d45e3e64d813f6bdc06e6e54ffe2e27d.zip