Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d84b67e1ccc4daa6b4a191b1343dac48c39c2a25^! / . / private
commitd84b67e1ccc4daa6b4a191b1343dac48c39c2a25[log] [tgz]
authorDavid Anderson <dvander@google.com>Thu Feb 04 12:30:09 2021 -0800
committerDavid Anderson <dvander@google.com>Tue Feb 23 00:10:43 2021 -0800
treec30f7ee98a00fd091aebd606d351844150d75e9b
parente35b49bd1680d56d771389d5fc7f915a2b553e89 [diff]
Fix missing domain transition for snapuserd in recovery.

System files in recovery are labelled as rootfs, so we need an explicit
transition to snapuserd. Without this, factory data resets will fail
with a VABC OTA pending, with the following denial:

        avc:  denied  { entrypoint } for  pid=522 comm="init" path="/system/bin/snapuserd"
                dev="rootfs" ino=1491 scontext=u:r:snapuserd:s0 tcontext=u:object_r:rootfs:s0
                tclass=file permissive=0

Bug: 179336104
Test: factory data reset with VABC OTA pending
Change-Id: Ia839d84a48f2ac8ccb37d6ae3b1f8a8f7e619931

diff --git a/private/init.te b/private/init.te
index 02d45a1..f00c65c 100644
--- a/private/init.te
+++ b/private/init.te

@@ -16,6 +16,7 @@
   domain_trans(init, rootfs, fastbootd)
   domain_trans(init, rootfs, recovery)
   domain_trans(init, rootfs, linkerconfig)
+  domain_trans(init, rootfs, snapuserd)
 ')
 domain_trans(init, shell_exec, shell)
 domain_trans(init, init_exec, ueventd)