Now that nnp transitions are available in kernel v4.14, can the
selinux_err message be skipped? (maybe conditional if the policy
capability for nnp transitions is enabled)

Cause now I am getting these logs:

time->Sat Nov 4 11:30:21 2017
type=PROCTITLE msg=audit(1509791421.220:2221):
proctitle=2F7573722F62696E2F64706B67002D2D7072696E742D666F726569676E2D61726368697465637475726573
type=PATH msg=audit(1509791421.220:2221): item=1
name="/lib64/ld-linux-x86-64.so.2" inode=131141 dev=08:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL cap_fp=0000000000000000 cap_fi=000000000000
0000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1509791421.220:2221): item=0 name="/usr/bin/dpkg"
inode=394494 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:dpkg_exec_t:s0 nametype=NORMAL
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_f
e=0 cap_fver=0
type=CWD msg=audit(1509791421.220:2221): cwd="/root/workspace/selinux/policy"
type=EXECVE msg=audit(1509791421.220:2221): argc=2 a0="/usr/bin/dpkg"
a1="--print-foreign-architectures"
type=SYSCALL msg=audit(1509791421.220:2221): arch=c000003e syscall=59
success=yes exit=0 a0=564d70b9cea0 a1=564d70b977f0 a2=7fffa1d32450
a3=2 items=2 ppid=20592 pid=20593 auid=0 uid=109 gid=65534 euid=109
suid=109 fsuid=109 egid=65534 sg
id=65534 fsgid=65534 tty=pts1 ses=1 comm="dpkg" exe="/usr/bin/dpkg"
subj=root:sysadm_r:apt_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1509791421.220:2221):
op=security_bounded_transition seresult=denied
oldcontext=root:sysadm_r:apt_t:s0-s0:c0.c1023
newcontext=root:sysadm_r:dpkg_t:s0-s0:c0.c1023
type=AVC msg=audit(1509791421.220:2221): avc: denied {
nnp_transition } for pid=20593 comm="apt-config"
scontext=root:sysadm_r:apt_t:s0-s0:c0.c1023
tcontext=root:sysadm_r:dpkg_t:s0-s0:c0.c1023 tclass=process2
permissive=0

I like to dontaudit the transition (and let apt stay in the apt_t
domain for these operations) but the selinux_err message will keep
showing up.