Allow odrefresh to relabel staging files to apex_art_data_file.
This will allow odrefresh to move files from staging dir to output dir
instead of copying.
Test: -
1. Patch https://r.android.com/2991838
2. atest odsign_e2e_tests_full
Change-Id: I8fec4db3ff720f84a58e41439089ea55e53301b4
diff --git a/private/odrefresh.te b/private/odrefresh.te
index d716309..cb8a535 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -5,7 +5,7 @@
# Allow odrefresh to create files and directories for on device signing.
allow odrefresh apex_module_data_file:dir { getattr search };
allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
-allow odrefresh apex_art_data_file:file create_file_perms;
+allow odrefresh apex_art_data_file:file { create_file_perms relabelto } ;
# Allow odrefresh to create data files (typically for metrics before statsd starts).
allow odrefresh odrefresh_data_file:dir create_dir_perms;
@@ -16,7 +16,7 @@
# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
# sets up files here and passes file descriptors for dex2oat to write to.
allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
-allow odrefresh apex_art_staging_data_file:file create_file_perms;
+allow odrefresh apex_art_staging_data_file:file { create_file_perms relabelfrom };
# Run dex2oat in its own sandbox.
domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
@@ -58,3 +58,10 @@
# odrefresh_data_files.
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
+
+# Read access to SELinux context files, for restorecon.
+allow odrefresh file_contexts_file:file r_file_perms;
+allow odrefresh seapp_contexts_file:file r_file_perms;
+
+# Check validity of SELinux context, for restorecon.
+selinux_check_context(odrefresh)