Allow update_engine to inotify_add_watch dm-user device nodes. inotify_add_watch requires read permissions and these were only granted to the /dev/block/dm-user directory, not the device nodes. Denial: avc: denied { read } for pid=1918 comm="update_engine" name="product_b-user-cow" dev="tmpfs" ino=162 scontext=u:r:update_engine:s0 tcontext=u:object_r:dm_user_device:s0 tclass=chr_file permissive=0 Bug: 238572067 Test: apply OTA Change-Id: I3fa7c9600873f4a2638fd140287511005f5aac1d

commit: b7bb3d007160ddc5d4c956a8caf33c066bd9296a [log] [tgz]
author: David Anderson <dvander@google.com> Thu Jul 21 12:45:20 2022 -0700
committer: David Anderson <dvander@google.com> Thu Jul 21 12:47:46 2022 -0700
tree: f44a709d50e931ec8db7f9421d76689ea20cc64a
parent: 9617447817aa6768b71fdc85911022d81ff80556 [diff]
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e8fd29e..12961e7 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te

@@ -72,6 +72,7 @@
 # read /dev/dm-user, so that we can inotify wait for control devices to be
 # asynchronously created by ueventd.
 allow update_engine dm_user_device:dir r_dir_perms;
+allow update_engine dm_user_device:chr_file r_file_perms;
 
 # read / write metadata on super device to resize partitions
 allow update_engine_common super_block_device_type:blk_file rw_file_perms;
commit	b7bb3d007160ddc5d4c956a8caf33c066bd9296a	[log] [tgz]
author	David Anderson <dvander@google.com>	Thu Jul 21 12:45:20 2022 -0700
committer	David Anderson <dvander@google.com>	Thu Jul 21 12:47:46 2022 -0700
tree	f44a709d50e931ec8db7f9421d76689ea20cc64a
parent	9617447817aa6768b71fdc85911022d81ff80556 [diff]