Merge "Only auditallow unlabeled accesses not allowed elsewhere."
diff --git a/init.te b/init.te
index 5cb9471..5397a82 100644
--- a/init.te
+++ b/init.te
@@ -19,6 +19,10 @@
# we just allow all file types except /system files here.
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
+# Unlabeled file access for upgrades from 4.2.
+allow init unlabeled:dir { create_dir_perms relabelfrom };
+allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+
# Reload policy upon setprop selinux.reload_policy 1.
allow init kernel:security load_policy;
diff --git a/kernel.te b/kernel.te
index 96b5740..1faa9db 100644
--- a/kernel.te
+++ b/kernel.te
@@ -8,6 +8,9 @@
# The kernel is unconfined.
unconfined_domain(kernel)
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
# init direct restorecon calls prior to switching to init domain
# /dev and /dev/socket
allow kernel { device socket_device }:dir relabelto;