Allowing vold to search /mnt/vendor/* vold will trim rw mount points about daily, but it is denied by SELinux: root 603 603 W Binder:603_2: type=1400 audit(0.0:11): avc: denied { search } for name="vendor" dev="tmpfs" ino=23935 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0 Allowing vold to search /mnt/vendor/* to fix the denials. Note that device-specific sepolicy needs to be extended to allow vold to send FITRIM ioctl. e.g., for /mnt/vendor/persist, it needs: allow vold persist_file:dir { ioctl open read }; Bug: 111409607 Test: boot a device, checks the above denial is gone Change-Id: Ia9f22d973e5a2e295678781de49a0f61fccd9dad

commit: 7b67a617dd498e8b892c3475e96deaa0da6d1649 [log] [tgz]
author: Bowgo Tsai <bowgotsai@google.com> Fri Jul 13 23:34:48 2018 +0800
committer: Bowgo Tsai <bowgotsai@google.com> Wed Jul 25 10:18:42 2018 +0800
tree: eb6293d445a88fd0cb4cbe2e34a3ffeed8380439
parent: 3280985971610bda77ab4615625fa56894bffefa [diff]
diff --git a/public/domain.te b/public/domain.te
index c6fc9f8..5dcfdf8 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -1391,6 +1391,7 @@
   coredomain
   -init
   -ueventd
+  -vold
 } mnt_vendor_file:dir *;
 
 # Only apps are allowed access to vendor public libraries.

diff --git a/public/vold.te b/public/vold.te
index 481f48c..1aa616b 100644
--- a/public/vold.te
+++ b/public/vold.te

@@ -213,6 +213,9 @@
 # Raw writes to misc block device
 allow vold misc_block_device:blk_file w_file_perms;
 
+# vold might need to search or mount /mnt/vendor/*
+allow vold mnt_vendor_file:dir search;
+
 neverallow {
     domain
     -vold
commit	7b67a617dd498e8b892c3475e96deaa0da6d1649	[log] [tgz]
author	Bowgo Tsai <bowgotsai@google.com>	Fri Jul 13 23:34:48 2018 +0800
committer	Bowgo Tsai <bowgotsai@google.com>	Wed Jul 25 10:18:42 2018 +0800
tree	eb6293d445a88fd0cb4cbe2e34a3ffeed8380439
parent	3280985971610bda77ab4615625fa56894bffefa [diff]