Use postinstall file_contexts Previously we would mount OTA images with a 'context=...' mount option. This meant that all selinux contexts were ignored in the ota image, limiting the usefulness of selinux in this situation. To fix this the mount has been changed to not overwrite the declared contexts and the policies have been updated to accurately describe the actions being performed by an OTA. Bug: 181182967 Test: Manual OTA of blueline Merged-In: I5eb53625202479ea7e75c27273531257d041e69d Change-Id: I5eb53625202479ea7e75c27273531257d041e69d

commit: 16dfb432b3293d30cc889e1ccc00c95ff18b369a [log] [tgz]
author: Alex Light <allight@google.com> Thu Mar 11 11:26:08 2021 -0800
committer: Alex Light <allight@google.com> Wed Mar 24 17:00:35 2021 -0700
tree: 2d3b72b75fc845633c30476a3d9568dc7a1f9951
parent: 133496f8a47526cc0eb5f01c9c69fb1aaa9aee69 [diff] [blame]
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 84fde67..2688102 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te

@@ -19,4 +19,9 @@
 # Allow linkerconfig to read apex-info-list.xml
 allow linkerconfig apex_info_file:file r_file_perms;
 
+# Allow linkerconfig to be called in the otapreopt_chroot
+allow linkerconfig otapreopt_chroot:fd use;
+allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
+allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
+
 neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
commit	16dfb432b3293d30cc889e1ccc00c95ff18b369a	[log] [tgz]
author	Alex Light <allight@google.com>	Thu Mar 11 11:26:08 2021 -0800
committer	Alex Light <allight@google.com>	Wed Mar 24 17:00:35 2021 -0700
tree	2d3b72b75fc845633c30476a3d9568dc7a1f9951
parent	133496f8a47526cc0eb5f01c9c69fb1aaa9aee69 [diff] [blame]