Now you have set up adb working and boot to recovery, flash rom and bootup to sy

1. Now you have set up adb working and boot to recovery, flash rom and bootup to system. After the system has booted (even with blacked out screen), you can adb to it. First "adb logcat >somefile.txt". Then "adb shell", hit enter twice, "su -". Now you have a root shell. "dmesg -s 999999999 >/sdcard/someotherfile.txt", leave device (hit ctrl-d till back on hosts shell prompt). Get someotherfile.txt to host: "adb pull /sdcard/someotherfile.txt". Now you have somefile.txt and someotherfile.txt in your current directory.
2. On your buildhost install the linux package "policycoreutils" (thats gentoo naming, on your disribution it may be called policy-core-util, or selinux-utils), we need the program audit2allow. now you prepare the logfiles (assuming you cwd is the root of your cm build tree, and the both logfiles are in /tmp): grep
3. I forgot the third file we need: "adb pull /data/misc/audit/audit.log" and now I assume all three files in tmp.
4. Hangouts is not comfortable to vcreate documentation on the fly... ;)
5. "grep avc: /tmp/some*txt /tmp/audit.log|grep denied|audit2allow -p out/target/product/chagalllte/root/sepolicy", the output will be the suggested rule(s), sorted by security domains (which is in deed our naming scheme: rules for domain vold live in vold.te). For the rest of the job, I'll paste something I've written to Sean already:
6. Get the avc lines (from /data/misc/audit/audit.log and dmesg, for dmesg don't forget to set kernel ring buffer to 21, otherwise you havenno chance to get it complete from 0.000 on). All avc lines in question I put in a file - let's call it tmp.txt. In root of cm tree: "cat tmp.txt|audit2allow -p out/target/product/*/root/sepolicy". Mostly the resulting (suggested) rules will not build, 'cause blabla violates never allow rule. Then you have to be more specific. I.e. not allowing devfs but allowing /sys/bla/fasel will work.
7. Sean also asks, if denials could be seen in permissive mode. Answer: You see the denials (but sometimes not all - see my vold commits, two of them could only be seen in enforcing mode). You need at least one permissive and one enforcing boot... If you think, it's a pain in the ass, you are right. ;)