recovery: allow read access to fuse filesystem adb sideload depends on the ability to access the fuse directory. Flipping recovery into enforcing started triggering the following denial: type=1400 audit(17964905.699:7): avc: denied { search } for pid=132 comm="recovery" name="/" dev="fuse" ino=1 scontext=u:r:recovery:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir Change-Id: I27ee0295fa2e2d0449bfab4f95bfbc076e92cf59

commit: e9d97b744e95307020d461fd16f756323f25bba7 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Tue Jul 08 10:52:05 2014 -0700
committer: Nick Kralevich <nnk@google.com> Tue Jul 08 10:52:05 2014 -0700
tree: a0e63ebd6ce6830effa43c22ff584a1c35473b4a
parent: 9f6af083e8a31c9b5a9f9ac21885dfc3c0dc14b2 [diff]
diff --git a/recovery.te b/recovery.te
index 9c59003..28c7f80 100644
--- a/recovery.te
+++ b/recovery.te

@@ -92,6 +92,7 @@
   # "sdcard_internal"; the simulated SD card is the only other user of
   # fuse.)
   allow recovery fuse_device:chr_file rw_file_perms;
+  allow recovery sdcard_internal:dir r_dir_perms;
   allow recovery sdcard_internal:file r_file_perms;
 
   wakelock_use(recovery)
commit	e9d97b744e95307020d461fd16f756323f25bba7	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Tue Jul 08 10:52:05 2014 -0700
committer	Nick Kralevich <nnk@google.com>	Tue Jul 08 10:52:05 2014 -0700
tree	a0e63ebd6ce6830effa43c22ff584a1c35473b4a
parent	9f6af083e8a31c9b5a9f9ac21885dfc3c0dc14b2 [diff]