commit 1c8e606faf2a16f1eb9f4fb6b467e962a7ddcfb7
author Sandeep Patil <sspatil@google.com> Tue Feb 14 15:56:46 2017 -0800
committer Sandeep Patil <sspatil@google.com> Mon Feb 20 09:07:22 2017 -0800
tree 5a61d36a6ef85e8cf9f7b6d052fcbeb8e16d4c42
parent db955a152ff8b597cff0291c05b9d52490ba56dd

init: allow init to restorecon on block devices and their symlinks

For early mount we end up creating the device nodes for partitions
under /dev/block before selinux is initialized. Which means, that
restorecon_recursive on /dev/block will have to relabel these nodes
and their symlinks.

This change adds the rule to allow init do the same.

b/27805372

Test: boot marlin / sailfish with early mount device node creation
but mount partitions using the default 'mountall' without any selinux
denials.

Change-Id: Ib9335f3f961d485d2120a175dbdbf85d6f70b160
Signed-off-by: Sandeep Patil <sspatil@google.com>

public/init.te

diff --git a/public/init.te b/public/init.te
index a65bf2c..86f062a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -27,9 +27,11 @@
 # /dev/device-mapper, /dev/block(/.*)?
 allow init tmpfs:{ chr_file blk_file } relabelfrom;
 allow init tmpfs:blk_file getattr;
-allow init block_device:{ dir blk_file } relabelto;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
 allow init dm_device:{ chr_file blk_file } relabelto;
 allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
 
 # setrlimit
 allow init self:capability sys_resource;