Move selinux_denial_metadata to /vendor.
selinux_denial_metadate is an concatenation of different bug maps on the
device, including vendor one. This file is only used for debugging, so
we simply move it to /vendor instead of splitting it up.
/vendor/etc/selinux/selinux_denial_metadata has vendor_configs_file
selinux type, which is logd readable.
Bug: 5159394
Test: bug information is still preserved in avc logs, e.g.
audit(0.0:248): avc: denied { read } for
name="u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=18012
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=0
b/79617173 app=com.android.systemui
Change-Id: Id5eb9abd3bdeed92feb2aca40880903533468d50
diff --git a/Android.mk b/Android.mk
index a6c4f2a..eed488a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -217,12 +217,6 @@
endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
-ifneq ($(TARGET_BUILD_VARIANT), user)
-LOCAL_REQUIRED_MODULES += \
- selinux_denial_metadata \
-
-endif
-
ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
@@ -293,6 +287,12 @@
product_sepolicy_and_mapping.sha256 \
endif
+
+ifneq ($(TARGET_BUILD_VARIANT), user)
+LOCAL_REQUIRED_MODULES += \
+ selinux_denial_metadata \
+
+endif
include $(BUILD_PHONY_PACKAGE)
#################################
@@ -1085,7 +1085,7 @@
LOCAL_MODULE := selinux_denial_metadata
LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk