Merge "Don't audit storageproxyd unlabeled access"

2022-03-04 17:45:37 +00:00
parent 0e1e0e2830 03fef48542
commit fbf92e2ada
1 changed files with 4 additions and 0 deletions
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -15,3 +15,7 @@ allow tee self:capability { setgid setuid };

 # Allow storageproxyd access to gsi_public_metadata_file
 read_fstab(tee)
+
+# storageproxyd starts before /data is mounted. It handles /data not being there
+# gracefully. However, attempts to access /data trigger a denial.
+dontaudit tee unlabeled:dir { search };