in /device/xxx/sepolicy/common
[scontext].te
add:
allow [scontext] [tcontext-object_r]:[tclass] [denied{}];
e.g.
cnss-daemon: type=1400 audit(0.0:32): avc: denied { search } for name="/" dev="sda9" ino=2 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0
in /device/qcom/sepolicy/common
wcnss_service.te
+allow wcnss_service unlabedled:dir search;