file_context: explicitly label all file context files file_context files need to be explicitly labeled as they are now split across system and vendor and won't have the generic world readable 'system_file' label. Bug: 36002414 Test: no new 'file_context' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: ./cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi \ arm64-v8a --module CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testAospFileContexts Change-Id: I603157e9fa7d1de3679d41e343de397631666273 Signed-off-by: Sandeep Patil <sspatil@google.com>

commit: c9cf7361c1f5000834f125d287df8d2708b4d634 [log] [tgz]
author: Sandeep Patil <sspatil@google.com> Fri Mar 24 15:02:13 2017 -0700
committer: Sandeep Patil <sspatil@google.com> Wed Mar 29 10:17:21 2017 -0700
tree: 57d3bb01add8e0b14e593831f89d12350ae768ec
parent: 939d16b59f08c083c026899550d0128dfe49072a [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 5aae022..698ae8e 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -230,6 +230,8 @@
 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
 allow system_server mediadrmserver:udp_socket rw_socket_perms;
 
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
 # Check SELinux permissions.
 selinux_check_access(system_server)
commit	c9cf7361c1f5000834f125d287df8d2708b4d634	[log] [tgz]
author	Sandeep Patil <sspatil@google.com>	Fri Mar 24 15:02:13 2017 -0700
committer	Sandeep Patil <sspatil@google.com>	Wed Mar 29 10:17:21 2017 -0700
tree	57d3bb01add8e0b14e593831f89d12350ae768ec
parent	939d16b59f08c083c026899550d0128dfe49072a [diff] [blame]