Add sepolicy rules showen for Docker container

bsp_diff/caas/device/intel/sepolicy/0009-Docker-seilinux-avc-denials-fix.patch

@@ -0,0 +1,48 @@
+From c3bbb004ae589dfa1658c4f2c368eeafb4573920 Mon Sep 17 00:00:00 2001
+From: "Kothapeta, BikshapathiX" <[email protected]>
+Date: Fri, 1 Dec 2023 16:21:50 +0530
+Subject: [PATCH] Docker: seilinux avc denials fix
+
+Tracked-On:
+Signed-off-by: Kothapeta, BikshapathiX <[email protected]>
+
+diff --git a/kernel/system_server.te b/kernel/system_server.te
+index d68dca5..5cdd071 100644
+--- a/kernel/system_server.te
++++ b/kernel/system_server.te
+@@ -7,3 +7,6 @@ allow system_server system_app:file rw_file_perms;
+
+ allow system_server hal_graphics_allocator_default_tmpfs:file rw_file_perms;
+ allow system_server shell_data_file:file map;
++
++dontaudit system_server proc:file { getattr };
++dontaudit system_server system_file:file { ioctl };
+diff --git a/kernel/vendor_init.te b/kernel/vendor_init.te
+index f406f4e..b6ca0a9 100644
+--- a/kernel/vendor_init.te
++++ b/kernel/vendor_init.te
+@@ -1,5 +1,6 @@
+ allow vendor_init file_contexts_file:file map;
+ allow vendor_init kernel:key search;
++dontaudit vendor_init wifi_data_file:dir { search };
+ userdebug_or_eng(`
+   allow vendor_init proc:file write;
+   allow vendor_init proc_hung_task:file write;
+diff --git a/kernel/zygote.te b/kernel/zygote.te
+index 6bbd735..13d0de3 100644
+--- a/kernel/zygote.te
++++ b/kernel/zygote.te
+@@ -1,2 +1,3 @@
+ # zygote
+ #allow zygote self:capability dac_read_search;
++dontaudit zygote labeledfs:filesystem { unmount };
+diff --git a/vendor/bootanim.te b/vendor/bootanim.te
+index 1b78c87..31a9181 100644
+--- a/vendor/bootanim.te
++++ b/vendor/bootanim.te
+@@ -1 +1,2 @@
+ allow bootanim tmpfs:file { read write };
++dontaudit bootanim proc:file { getattr };
+-- 
+2.43.0
+