Add dac_read_search to apexd to prevent spurious denials.
As apexd now has dac_override, it should also have dac_read_search to
avoid spurious denials.
Bug: 141148175
Test: Build, run apex installation, check denials.
Change-Id: I179c05b36ae0fe62d943ca59ee7f8158507f1f10
diff --git a/private/apexd.te b/private/apexd.te
index faff8c6..36b7999 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -45,7 +45,7 @@
# sys_admin is required to access the device-mapper and mount
# dac_override, chown, and fowner are needed for snapshot and restore
-allow apexd self:global_capability_class_set { sys_admin chown dac_override fowner };
+allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other