Merge "Track otapreopt_chroot postinstall_file SELinux denial."
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 29a2d7f..94a37d6 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -66,6 +66,7 @@
     lowpan_service
     mediaextractor_update_service
     mediaprovider_tmpfs
+    metadata_file
     mnt_vendor_file
     netd_stable_secret_prop
     network_watchlist_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 64ec724..31d08e9 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -54,6 +54,7 @@
     lowpan_prop
     lowpan_service
     mediaextractor_update_service
+    metadata_file
     mnt_vendor_file
     network_watchlist_data_file
     network_watchlist_service
diff --git a/public/file.te b/public/file.te
index aeb15dc..e68e466 100644
--- a/public/file.te
+++ b/public/file.te
@@ -150,7 +150,9 @@
 # Default type for everything in /vendor/overlay
 type vendor_overlay_file, vendor_file_type, file_type;
 
-# /metadata subdirectories
+# /metadata partition itself
+type metadata_file, file_type;
+# Vold files within /metadata
 type vold_metadata_file, file_type;
 
 # Speedup access for trusted applications to the runtime event tags
diff --git a/public/init.te b/public/init.te
index 3047037..35a98fe 100644
--- a/public/init.te
+++ b/public/init.te
@@ -98,6 +98,9 @@
 allow init configfs:dir create_dir_perms;
 allow init configfs:{ file lnk_file } create_file_perms;
 
+# /metadata
+allow init metadata_file:dir mounton;
+
 # Use tmpfs as /data, used for booting when /data is encrypted
 allow init tmpfs:dir relabelfrom;
 
diff --git a/public/vold.te b/public/vold.te
index 95847cf..0b0c766 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -17,6 +17,7 @@
 allow vold sysfs_zram_uevent:file w_file_perms;
 
 r_dir_file(vold, rootfs)
+r_dir_file(vold, metadata_file)
 allow vold {
   proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
   proc_cmdline