From 1c8e606faf2a16f1eb9f4fb6b467e962a7ddcfb7 Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Tue, 14 Feb 2017 15:56:46 -0800
Subject: [PATCH] init: allow init to restorecon on block devices and their
 symlinks

For early mount we end up creating the device nodes for partitions
under /dev/block before selinux is initialized. Which means, that
restorecon_recursive on /dev/block will have to relabel these nodes
and their symlinks.

This change adds the rule to allow init do the same.

b/27805372

Test: boot marlin / sailfish with early mount device node creation
but mount partitions using the default 'mountall' without any selinux
denials.

Change-Id: Ib9335f3f961d485d2120a175dbdbf85d6f70b160
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 public/init.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/public/init.te b/public/init.te
index a65bf2cbc..86f062ab1 100644
--- a/public/init.te
+++ b/public/init.te
@@ -27,9 +27,11 @@ allow init random_device:chr_file relabelto;
 # /dev/device-mapper, /dev/block(/.*)?
 allow init tmpfs:{ chr_file blk_file } relabelfrom;
 allow init tmpfs:blk_file getattr;
-allow init block_device:{ dir blk_file } relabelto;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
 allow init dm_device:{ chr_file blk_file } relabelto;
 allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
 
 # setrlimit
 allow init self:capability sys_resource;
-- 
GitLab