Root of /data belongs to init (re-landing) Give /data itself a different label to its contents, to ensure that only init creates files and directories there. This change originally landed as aosp/1106014 and was reverted in aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying problem, and with that we can re-land this change. Bug: 139190159 Bug: 140402208 Test: aosp boots, logs look good Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf

commit: aed0f76ee915de983fb22d49e6294b4df3343ac7 [log] [tgz]
author: Paul Crowley <paulcrowley@google.com> Thu Aug 01 15:57:47 2019 -0700
committer: Paul Crowley <paulcrowley@google.com> Mon Sep 09 14:42:01 2019 -0700
tree: 8a1a22b305f1bc5d588bdd489a358fcffc0da4ac
parent: 6e85cd91d0832ca6d5eb582233646d6e08c1e13d [diff] [blame]
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 50efc22..6a68f1f 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te

@@ -2,3 +2,6 @@
 # Sometimes we have to write to non-existent files to avoid conditional
 # init behavior. See b/35303861 for an example.
 dontaudit vendor_init sysfs:dir write;
+
+# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
+allow vendor_init system_data_root_file:dir rw_dir_perms;
commit	aed0f76ee915de983fb22d49e6294b4df3343ac7	[log] [tgz]
author	Paul Crowley <paulcrowley@google.com>	Thu Aug 01 15:57:47 2019 -0700
committer	Paul Crowley <paulcrowley@google.com>	Mon Sep 09 14:42:01 2019 -0700
tree	8a1a22b305f1bc5d588bdd489a358fcffc0da4ac
parent	6e85cd91d0832ca6d5eb582233646d6e08c1e13d [diff] [blame]