Allow apps to execute app_data_files Fixes the following denial: <5>[28362.335293] type=1400 audit(1378991198.292:24): avc: denied { execute } for pid=1640 comm="facebook.katana" path="/data/data/com.facebook.katana/app_libs/libfb_jpegturbo.so" dev="mmcblk0p23" ino=652556 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file Change-Id: I4a515610149f06f0c49194feb6bc96e9b3080c12

commit: a24a991dd59fe03cdc681aadcb6bbca1ffac9b7b [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu Sep 12 12:12:25 2013 -0700
committer: Nick Kralevich <nnk@google.com> Thu Sep 12 12:19:31 2013 -0700
tree: f87c8b39244379053fe64cb59cdecdbdd22674db
parent: a2477056ae6a702e7e71b671cd0c47afc1c7da8a [diff]
diff --git a/app.te b/app.te
index aaf811a..fd16764 100644
--- a/app.te
+++ b/app.te

@@ -30,7 +30,7 @@
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
-allow appdomain app_data_file:notdevfile_class_set create_file_perms;
+allow appdomain app_data_file:notdevfile_class_set { create_file_perms execute };
 
 # Read/write data files created by the platform apps if they
 # were passed to the app via binder or local IPC.  Do not allow open.
commit	a24a991dd59fe03cdc681aadcb6bbca1ffac9b7b	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Sep 12 12:12:25 2013 -0700
committer	Nick Kralevich <nnk@google.com>	Thu Sep 12 12:19:31 2013 -0700
tree	f87c8b39244379053fe64cb59cdecdbdd22674db
parent	a2477056ae6a702e7e71b671cd0c47afc1c7da8a [diff]