Allow update_verifier to read dm blocks Update_verifier will read dm-wrapped system/vendor partition. Therefore, change the sepolicy accordingly. Here's the denied message: update_verifier: type=1400 audit(0.0:131): avc: denied { read } for name="dm-0" dev="tmpfs" ino=15493 scontext=u:r:update_verifier:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0 Bug: 34391662 Test: Read of /dev/block/dm-0 succeeds during boot time. Change-Id: I23325bd92f6e28e9b1d62a0f2348837cece983d1

commit: d5cdca08c784993bda0c25047676f3306552a6f1 [log] [tgz]
author: Tianjie Xu <xunchang@google.com> Thu Jan 19 17:41:02 2017 -0800
committer: Tianjie Xu <xunchang@google.com> Fri Feb 03 21:00:30 2017 +0000
tree: 00998229dbba0212376026efa0d72a89e2c7bec6
parent: 606d2fd6651027204727b5141c03e5e47ed1f6e4 [diff]
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 5ee5258..8482159 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te

@@ -13,8 +13,8 @@
 allow update_verifier ota_package_file:dir r_dir_perms;
 allow update_verifier ota_package_file:file r_file_perms;
 
-# Read all blocks in system partition.
-allow update_verifier system_block_device:blk_file r_file_perms;
+# Read all blocks in dm wrapped system partition.
+allow update_verifier dm_device:blk_file r_file_perms;
 
 # Use binderized HAL
 hwbinder_use(update_verifier)
commit	d5cdca08c784993bda0c25047676f3306552a6f1	[log] [tgz]
author	Tianjie Xu <xunchang@google.com>	Thu Jan 19 17:41:02 2017 -0800
committer	Tianjie Xu <xunchang@google.com>	Fri Feb 03 21:00:30 2017 +0000
tree	00998229dbba0212376026efa0d72a89e2c7bec6
parent	606d2fd6651027204727b5141c03e5e47ed1f6e4 [diff]