Comment 2 for bug 1714244

Given that the denials are harmless and that getting rid of them would require a patch that wouldn't enable sysadmins to actually implement custom policies, I'll lower the importance of that bug.