Allow update_engine to read /proc/filesystems During OTA install, update_engine needs to read this file to determine if overlayfs is enabled, as OTA requires overlayfs to be disabled. The selinux denial looks like audit(0.0:242): avc: denied { read } for name="filesystems" dev="proc" ino=4026532076 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc_filesystems:s0 tclass=file permissive=0 Bug: 309812002 Test: th Change-Id: I10903ced21e79c90dec45fb40ecd169d98c94e89

commit: f7e91113764669ce681ff5736268596c76f6d4fc [log] [tgz]
author: Kelvin Zhang <zhangkelvin@google.com> Wed Aug 02 14:46:28 2023 -0700
committer: Kelvin Zhang <zhangkelvin@google.com> Wed Nov 08 18:40:12 2023 +0000
tree: 429835f71326cbf8acfb58bb7a139ab809bf68b5
parent: eb0d40aa8555744892ac4aa02d1ab1a8bcb4b1db [diff]
diff --git a/public/update_engine.te b/public/update_engine.te
index f879013..6f79902 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te

@@ -73,3 +73,7 @@
 allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
 allow update_engine snapshotctl_log_data_file:file create_file_perms;
 ')
+
+# Allow determining filesystems available on system.
+# Needed for checking if overlayfs is enabled
+allow update_engine proc_filesystems:file r_file_perms;
commit	f7e91113764669ce681ff5736268596c76f6d4fc	[log] [tgz]
author	Kelvin Zhang <zhangkelvin@google.com>	Wed Aug 02 14:46:28 2023 -0700
committer	Kelvin Zhang <zhangkelvin@google.com>	Wed Nov 08 18:40:12 2023 +0000
tree	429835f71326cbf8acfb58bb7a139ab809bf68b5
parent	eb0d40aa8555744892ac4aa02d1ab1a8bcb4b1db [diff]