Fix selinux denials when applying updates in recovery. These lines are copied from update_engine.te, and are needed to update dynamic partitions in recovery. Bug: 132943965 Test: sideload OTA on cuttlefish Change-Id: Id03a658aac69b8d20fa7bb758530a4469c75cf9c

commit: d431c2bfe5d3534afa969bc99e59e03ffa7c2c19 [log] [tgz]
author: David Anderson <dvander@google.com> Tue May 21 16:22:21 2019 -0700
committer: David Anderson <dvander@google.com> Wed May 22 15:52:03 2019 -0700
tree: 38883c5ffff28eda69196d981ad05d8b5a534849
parent: ccf8af80b0a84858df50d76adf26b70930a76ea2 [diff]
diff --git a/public/recovery.te b/public/recovery.te
index 12eadee..d5d16a2 100644
--- a/public/recovery.te
+++ b/public/recovery.te

@@ -138,6 +138,10 @@
   # This line seems suspect, as it should not really need to
   # set scheduling parameters for a kernel domain task.
   allow recovery kernel:process setsched;
+
+  # These are needed to update dynamic partitions in recovery.
+  r_dir_file(recovery, sysfs_dm)
+  allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
 ')
 
 ###
commit	d431c2bfe5d3534afa969bc99e59e03ffa7c2c19	[log] [tgz]
author	David Anderson <dvander@google.com>	Tue May 21 16:22:21 2019 -0700
committer	David Anderson <dvander@google.com>	Wed May 22 15:52:03 2019 -0700
tree	38883c5ffff28eda69196d981ad05d8b5a534849
parent	ccf8af80b0a84858df50d76adf26b70930a76ea2 [diff]