Allow snapshotctl to create ota_metadata_file.
When snapshotctl merge is called on sys.boot_completed
and /metadata/ota/state does not exist, it now tries
to initialize it by creating one.
Test: no selinux denials on boot
Bug: 143551390
Change-Id: I6ee268270e8f788d90610d7a1a90f252ea9baa3a
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index 78bf6fd..d07af3b 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te
@@ -12,10 +12,10 @@
allow snapshotctl gsi_service:service_manager find;
binder_call(snapshotctl, gsid)
-# Allow to read/write/delete OTA metadata files for snapshot status and COW file status.
+# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status.
allow snapshotctl metadata_file:dir search;
allow snapshotctl ota_metadata_file:dir rw_dir_perms;
-allow snapshotctl ota_metadata_file:file { rw_file_perms unlink };
+allow snapshotctl ota_metadata_file:file create_file_perms;
# Allow to get A/B slot suffix from device tree or kernel cmdline.
r_dir_file(snapshotctl, sysfs_dt_firmware_android);