From 03fef4854280f367115e41568b21f3b4042dd632 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Thu, 3 Mar 2022 13:11:39 -0800
Subject: [PATCH] Don't audit storageproxyd unlabeled access

Test: m sepolicy
Bug: 197502330
Change-Id: I794dac85e475434aaf024027c43c98dde60bee27
---
 whitechapel/vendor/google/storageproxyd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index f9222712..ada64441 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -15,3 +15,7 @@ allow tee self:capability { setgid setuid };
 
 # Allow storageproxyd access to gsi_public_metadata_file
 read_fstab(tee)
+
+# storageproxyd starts before /data is mounted. It handles /data not being there
+# gracefully. However, attempts to access /data trigger a denial.
+dontaudit tee unlabeled:dir { search };