Merge "Track otapreopt_chroot postinstall_file SELinux denial."
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 29a2d7f..94a37d6 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -66,6 +66,7 @@
lowpan_service
mediaextractor_update_service
mediaprovider_tmpfs
+ metadata_file
mnt_vendor_file
netd_stable_secret_prop
network_watchlist_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 64ec724..31d08e9 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -54,6 +54,7 @@
lowpan_prop
lowpan_service
mediaextractor_update_service
+ metadata_file
mnt_vendor_file
network_watchlist_data_file
network_watchlist_service
diff --git a/public/file.te b/public/file.te
index aeb15dc..e68e466 100644
--- a/public/file.te
+++ b/public/file.te
@@ -150,7 +150,9 @@
# Default type for everything in /vendor/overlay
type vendor_overlay_file, vendor_file_type, file_type;
-# /metadata subdirectories
+# /metadata partition itself
+type metadata_file, file_type;
+# Vold files within /metadata
type vold_metadata_file, file_type;
# Speedup access for trusted applications to the runtime event tags
diff --git a/public/init.te b/public/init.te
index 3047037..35a98fe 100644
--- a/public/init.te
+++ b/public/init.te
@@ -98,6 +98,9 @@
allow init configfs:dir create_dir_perms;
allow init configfs:{ file lnk_file } create_file_perms;
+# /metadata
+allow init metadata_file:dir mounton;
+
# Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom;
diff --git a/public/vold.te b/public/vold.te
index 95847cf..0b0c766 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -17,6 +17,7 @@
allow vold sysfs_zram_uevent:file w_file_perms;
r_dir_file(vold, rootfs)
+r_dir_file(vold, metadata_file)
allow vold {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_cmdline