sepolicy: update common omni sepolicy
Change-Id: Ie82e9476191151b769cc4e29176cc6f1b8fdbe82
diff --git a/prebuilt/etc/init.local.rc b/prebuilt/etc/init.local.rc
index 70a1860..ab82f12 100644
--- a/prebuilt/etc/init.local.rc
+++ b/prebuilt/etc/init.local.rc
@@ -66,13 +66,17 @@
# I/O scheduler
chown system system /sys/block/mmcblk0/queue/scheduler
chmod 0664 /sys/block/mmcblk0/queue/scheduler
+ restorecon /sys/block/mmcblk0/queue/scheduler
chown system system /sys/block/mmcblk0/queue/read_ahead_kb
chmod 0664 /sys/block/mmcblk0/queue/read_ahead_kb
+ restorecon /sys/block/mmcblk0/queue/read_ahead_kb
chown system system /sys/block/mmcblk1/queue/scheduler
chmod 0664 /sys/block/mmcblk1/queue/scheduler
+ restorecon /sys/block/mmcblk1/queue/scheduler
chown system system /sys/block/mmcblk1/queue/read_ahead_kb
chmod 0664 /sys/block/mmcblk1/queue/read_ahead_kb
+ restorecon /sys/block/mmcblk1/queue/read_ahead_kb
# allow system to modify ksm control files
chown root system /sys/kernel/mm/ksm/pages_to_scan
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..b16b25b
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,7 @@
+###########################
+# OmniROM common sepolicy
+#
+
+type sysfs_ioscheduler, fs_type, sysfs_type;
+type sysfs_zram, fs_type, sysfs_type;
+type sysfs_ksm, fs_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 7a24c06..4ac47a5 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -3,6 +3,6 @@
#
# performance-related sysfs files
-/sys/kernel/mm/ksm(/.*)? u:object_r:sysfs_writable:s0
-/sys/block/mmcblk(/.*)? u:object_r:sysfs_writable:s0
-/sys/block/zram(/.*)? u:object_r:sysfs_writable:s0
+/sys/kernel/mm/ksm(/.*)? u:object_r:sysfs_ksm:s0
+/sys/block/mmcblk[0-2]/queue(/.*) u:object_r:sysfs_ioscheduler:s0
+/sys/block/zram(/.*)? u:object_r:sysfs_zram:s0
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..7c9f694
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1,6 @@
+###########################
+# OmniROM common sepolicy
+#
+
+# treat fuseblk as sdcard_external
+genfscon fuseblk / u:object_r:sdcard_external:s0
diff --git a/sepolicy/sepolicy.mk b/sepolicy/sepolicy.mk
index 52d6b97..9b9c568 100644
--- a/sepolicy/sepolicy.mk
+++ b/sepolicy/sepolicy.mk
@@ -6,7 +6,3 @@
BOARD_SEPOLICY_DIRS += \
vendor/omni/sepolicy
-BOARD_SEPOLICY_UNION += \
- file_contexts \
- system_app.te \
- system_server.te
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 25aae95..91be6b6 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -5,7 +5,9 @@
# performance settings
allow system_app sysfs_lowmemorykiller:file rw_file_perms;
allow system_app sysfs_devices_system_cpu:file rw_file_perms;
-allow system_app sysfs_writable:file rw_file_perms;
+allow system_app sysfs_ioscheduler:file rw_file_perms;
+allow system_app sysfs_zram:file rw_file_perms;
+allow system_app sysfs_ksm:file rw_file_perms;
# Read /sys/kernel/debug/wakeup_sources.
allow system_app debugfs:file r_file_perms;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644
index 0000000..b0b9868
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1,12 @@
+###########################
+# OmniROM common sepolicy
+#
+
+domain_trans(init, rootfs, vold)
+
+# Allow vold to manage ASEC
+allow vold sdcard_external:file create_file_perms;
+
+# Allow vold to access fuse for fuse-based fs
+allow vold fuse_device:chr_file rw_file_perms;
+