Allow odsign to rename & unlink CompOS files. Write access is still denied. Bug: 194654666 Test: No denials when testing odsign. Change-Id: Ia9ca85e4008a1a69da0943793d310b974a8484db

commit: 17ad9eb63e68afe869220624c05b296917c6ee4e [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Fri Jul 30 11:59:14 2021 +0100
committer: Alan Stokes <alanstokes@google.com> Fri Jul 30 15:00:28 2021 +0100
tree: 7e23d04df9c66dcf6401a3f92d92306800d285ae
parent: 514cc4db445f84e7453348057fc63d1d451d6542 [diff]
diff --git a/private/odsign.te b/private/odsign.te
index 0b2f187..3297af7 100644
--- a/private/odsign.te
+++ b/private/odsign.te

@@ -44,9 +44,9 @@
 allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
 allow odsign apex_art_data_file:file { rw_file_perms unlink };
 
-# For CompOS pending key files
-allow odsign apex_compos_data_file:dir { getattr search write remove_name };
-allow odsign apex_compos_data_file:file { r_file_perms unlink };
+# For CompOS instance & key files
+allow odsign apex_compos_data_file:dir rw_dir_perms;
+allow odsign apex_compos_data_file:file { r_file_perms unlink rename };
 
 # Run odrefresh to refresh ART artifacts
 domain_auto_trans(odsign, odrefresh_exec, odrefresh)
commit	17ad9eb63e68afe869220624c05b296917c6ee4e	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Fri Jul 30 11:59:14 2021 +0100
committer	Alan Stokes <alanstokes@google.com>	Fri Jul 30 15:00:28 2021 +0100
tree	7e23d04df9c66dcf6401a3f92d92306800d285ae
parent	514cc4db445f84e7453348057fc63d1d451d6542 [diff]