mac_permissions: explicitly label all mac_permissions files *mac_permissions.xml files need to be explicitly labeled as they are now split cross system and vendor and won't have the generic world readable 'system_file' or 'rootfs' label. Bug: 36003167 Test: no new 'mac_perms_file' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: Launch 'chrome' and succesfully load a website. Test: Launch Camera and take a picture. Test: Launch Camera and record a video, succesfully playback recorded video Change-Id: I1c882872bb78d1242ba273756ef0dc27487f58fc Signed-off-by: Sandeep Patil <sspatil@google.com>

commit: bb24f3abe1d09b1e8d8377683484d3d4589d8f45 [log] [tgz]
author: Sandeep Patil <sspatil@google.com> Mon Mar 27 12:06:04 2017 -0700
committer: Sandeep Patil <sspatil@google.com> Wed Mar 29 10:24:20 2017 -0700
tree: 8ec59dee1404406a69cd8a343597e974ced0101a
parent: 136caa1b65da75bb3c9a55f6875469fed11e59b5 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 698ae8e..ddeeb1b 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -232,6 +232,8 @@
 
 # Get file context
 allow system_server file_contexts_file:file r_file_perms;
+# access for mac_permissions
+allow system_server mac_perms_file: file r_file_perms;
 # Check SELinux permissions.
 selinux_check_access(system_server)
commit	bb24f3abe1d09b1e8d8377683484d3d4589d8f45	[log] [tgz]
author	Sandeep Patil <sspatil@google.com>	Mon Mar 27 12:06:04 2017 -0700
committer	Sandeep Patil <sspatil@google.com>	Wed Mar 29 10:24:20 2017 -0700
tree	8ec59dee1404406a69cd8a343597e974ced0101a
parent	136caa1b65da75bb3c9a55f6875469fed11e59b5 [diff] [blame]