Policy for using Apex sepolicy
Bug: 199914227
Test: aosp/1910032
Change-Id: I0726facbf0c28c486ef6501718a6013a040e4b0e
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 18fa8bb..d15f9ba 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -13,3 +13,7 @@
allow system_data_file tmpfs:filesystem associate;
type authfs_fuse, fs_type, contextmount_type;
+
+# /dev/selinux/test - used to verify that apex sepolicy is loaded and
+# property labeled.
+type sepolicy_test_file, file_type;
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 1d03c4a..258c8d7 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -81,3 +81,19 @@
#-----------------------------------------
allow kernel apkdmverity:fd use;
+
+# Some contexts are changed before the device is flipped into enforcing mode
+# during the setup of Apex sepolicy. These denials can be suppressed since
+# the permissions should not be allowed after the device is flipped into
+# enforcing mode.
+dontaudit kernel device:dir { open read relabelto };
+dontaudit kernel tmpfs:file { getattr open read relabelfrom };
+dontaudit kernel {
+ file_contexts_file
+ hwservice_contexts_file
+ mac_perms_file
+ property_contexts_file
+ seapp_contexts_file
+ sepolicy_test_file
+ service_contexts_file
+}:file relabelto;