From 95ce8cfc1770e18e692b9e4f3ce92da212a38786 Mon Sep 17 00:00:00 2001
From: Nolen Johnson <johnsonnolen@gmail.com>
Date: Tue, 1 Jul 2025 22:21:21 -0400
Subject: [PATCH] extra: sepolicy: Silence useless denials

---
 BoardConfigExtra.mk              | 3 ++-
 sepolicy/private/linkerconfig.te | 1 +
 sepolicy/vendor/fsck.te          | 1 +
 sepolicy/vendor/init.te          | 1 +
 sepolicy/vendor/toolbox.te       | 1 +
 sepolicy/vendor/vdc.te           | 1 +
 6 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 sepolicy/private/linkerconfig.te
 create mode 100644 sepolicy/vendor/fsck.te
 create mode 100644 sepolicy/vendor/init.te
 create mode 100644 sepolicy/vendor/toolbox.te
 create mode 100644 sepolicy/vendor/vdc.te

diff --git a/BoardConfigExtra.mk b/BoardConfigExtra.mk
index b86e862..5592f98 100644
--- a/BoardConfigExtra.mk
+++ b/BoardConfigExtra.mk
@@ -12,4 +12,5 @@ ifndef TARGET_COPY_OUT_SYSTEM_EXT
 endif
 
 ## SELinux
-BOARD_VENDOR_SEPOLICY_DIRS += vendor/extra/sepolicy
+PRODUCT_PRIVATE_SEPOLICY_DIRS += vendor/extra/sepolicy/private
+BOARD_VENDOR_SEPOLICY_DIRS += vendor/extra/sepolicy/vendor
diff --git a/sepolicy/private/linkerconfig.te b/sepolicy/private/linkerconfig.te
new file mode 100644
index 0000000..6b0a1fa
--- /dev/null
+++ b/sepolicy/private/linkerconfig.te
@@ -0,0 +1 @@
+dontaudit linkerconfig self:capability kill;
diff --git a/sepolicy/vendor/fsck.te b/sepolicy/vendor/fsck.te
new file mode 100644
index 0000000..9990eda
--- /dev/null
+++ b/sepolicy/vendor/fsck.te
@@ -0,0 +1 @@
+dontaudit fsck self:capability kill;
diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
new file mode 100644
index 0000000..eb08278
--- /dev/null
+++ b/sepolicy/vendor/init.te
@@ -0,0 +1 @@
+dontaudit init debugfs_tracing_debug:dir mounton;
diff --git a/sepolicy/vendor/toolbox.te b/sepolicy/vendor/toolbox.te
new file mode 100644
index 0000000..1674a7a
--- /dev/null
+++ b/sepolicy/vendor/toolbox.te
@@ -0,0 +1 @@
+dontaudit toolbox self:capability kill;
diff --git a/sepolicy/vendor/vdc.te b/sepolicy/vendor/vdc.te
new file mode 100644
index 0000000..9123f99
--- /dev/null
+++ b/sepolicy/vendor/vdc.te
@@ -0,0 +1 @@
+dontaudit vdc self:capability kill;