goldfish_setup: grant /system/bin/sh exec access The goldfish_setup shell script needs the ability to execute the shell script interpreter. Allow it. Addresses the following denial: avc: denied { getattr } for pid=1220 comm="init.goldfish.s" path="/system/bin/sh" dev="vda" ino=442 scontext=u:r:goldfish_setup:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=0 Bug: 28941573 Change-Id: I22d26e90f107c8d801229354a5e0513c37e6c31d

commit: 501c88c0290eb2308c110398f106411260863bb8 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Tue May 24 17:36:23 2016 -0700
committer: Nick Kralevich <nnk@google.com> Tue May 24 17:40:53 2016 -0700
tree: aab82624f77575e81ce10c7377d724f0d019f5df
parent: 2af23a3c208b4480998923edc1479919093bc6b9 [diff]
diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te
index bce196a..b8f121c 100644
--- a/target/board/generic/sepolicy/goldfish_setup.te
+++ b/target/board/generic/sepolicy/goldfish_setup.te

@@ -5,7 +5,7 @@
 init_daemon_domain(goldfish_setup)
 
 # Inherit open file to shell (interpreter) for script.
-allow goldfish_setup shell_exec:file read;
+allow goldfish_setup shell_exec:file rx_file_perms;
 
 # Run ifconfig, route commands to configure interfaces and routes.
 allow goldfish_setup system_file:file execute_no_trans;
commit	501c88c0290eb2308c110398f106411260863bb8	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Tue May 24 17:36:23 2016 -0700
committer	Nick Kralevich <nnk@google.com>	Tue May 24 17:40:53 2016 -0700
tree	aab82624f77575e81ce10c7377d724f0d019f5df
parent	2af23a3c208b4480998923edc1479919093bc6b9 [diff]