sepolicy: explicitly label all sepolicy files
sepolicy files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' or 'rootfs' label.
Bug: 36527360
Test: no new 'sepolicy_file' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
video
Change-Id: I6fe8ba31588c2d75521c6e2b0bf7e6d6eaf80a19
Signed-off-by: Sandeep Patil <sspatil@google.com>
diff --git a/private/file_contexts b/private/file_contexts
index 35325f9..4735191 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -41,15 +41,15 @@
/file_contexts\.bin u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
-/mapping_sepolicy\.cil u:object_r:rootfs:s0
-/nonplat_sepolicy\.cil u:object_r:rootfs:s0
-/plat_sepolicy\.cil u:object_r:rootfs:s0
+/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
+/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
/nonplat_property_contexts u:object_r:property_contexts_file:s0
/seapp_contexts u:object_r:seapp_contexts_file:s0
/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/sepolicy u:object_r:rootfs:s0
+/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/nonplat_service_contexts u:object_r:service_contexts_file:s0
@@ -253,15 +253,21 @@
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
#############################
# Vendor files
#
/vendor(/.*)? u:object_r:system_file:s0
+/vendor/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0
#############################
# OEM and ODM files
diff --git a/public/file.te b/public/file.te
index 27937f4..bc54c34 100644
--- a/public/file.te
+++ b/public/file.te
@@ -265,6 +265,9 @@
# seapp_contexts file
type seapp_contexts_file, file_type;
+# sepolicy files binary and others
+type sepolicy_file, file_type;
+
# service_contexts file
type service_contexts_file, file_type;
diff --git a/public/init.te b/public/init.te
index 4aa1349..4af41ec 100644
--- a/public/init.te
+++ b/public/init.te
@@ -302,6 +302,9 @@
# Get file context
allow init file_contexts_file:file r_file_perms;
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
# Perform SELinux access checks on setting properties.
selinux_check_access(init)