Allow the netowrk stack to access its own data files.
After moving IpMemoryStore service to network stack module(aosp/906907),
the following untracked SELinux denials are observed on boot.
W id.networkstack: type=1400 audit(0.0:63): avc: denied { write } for
name="com.android.networkstack" dev="sda13" ino=704810
scontext=u:r:network_stack:s0:c49,c260,c512,c768
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
Add radio_data_file type for network stack user configuration and
relevant permission to allow access to its data, as the network stack
is a privileged app.
Test: m -j passed
Change-Id: I6eab528714df6a17aae0cb546dcc3ad4bb21deea
diff --git a/private/network_stack.te b/private/network_stack.te
index 4435a7a..b214538 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -24,5 +24,7 @@
allow network_stack dnsresolver_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack radio_service:service_manager find;
+allow network_stack radio_data_file:dir create_dir_perms;
+allow network_stack radio_data_file:file create_file_perms;
binder_call(network_stack, netd);
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 628b7d6..cbbdd64 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -146,7 +146,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack levelFrom=all
+user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file