init: allow init to restorecon on block devices and their symlinks

For early mount we end up creating the device nodes for partitions under /dev/block before selinux is initialized. Which means, that restorecon_recursive on /dev/block will have to relabel these nodes and their symlinks. This change adds the rule to allow init do the same. b/27805372 Test: boot marlin / sailfish with early mount device node creation but mount partitions using the default 'mountall' without any selinux denials. Change-Id: Ib9335f3f961d485d2120a175dbdbf85d6f70b160 Signed-off-by: Sandeep Patil <sspatil@google.com>

init: allow init to restorecon on block devices and their symlinks
1c8e606f · Sandeep Patil · db955a15 · 1c8e606f
Commit 1c8e606f authored 8 years ago by Sandeep Patil
--- a/public/init.te
+++ b/public/init.te
@@ -27,9 +27,11 @@ allow init random_device:chr_file relabelto;
 # /dev/device-mapper, /dev/block(/.*)?
 allow init tmpfs:{ chr_file blk_file } relabelfrom;
 allow init tmpfs:blk_file getattr;
-allow init block_device:{ dir blk_file } relabelto;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
 allow init dm_device:{ chr_file blk_file } relabelto;
 allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
 # setrlimit
 allow init self:capability sys_resource;