From 2b267293b219217587809a303033577c27481487 Mon Sep 17 00:00:00 2001
From: Sen Jiang <senj@google.com>
Date: Tue, 3 May 2016 11:07:11 -0700
Subject: [PATCH] Allow reading loop device in update_engine_unittests.

This fixes the following denies:
type=1400 audit(0.0:4389): avc: denied { read } for path="/data/misc/update_engine/tmp/a_loop_file.W0j9ss" dev="mmcblk0p13" ino=24695 scontext=u:r:kernel:s0 tcontext=u:object_r:update_engine_data_file:s0 tclass=file permissive=0
type=1400 audit(0.0:30): avc: denied { read } for path="/data/nativetest/update_engine_unittests/gen/disk_ext2_unittest.img" dev="mmcblk0p13" ino=71 scontext=u:r:kernel:s0 tcontext=u:object_r:nativetest_data_file:s0 tclass=file permissive=0

Bug: 28319454
Test: setenforce 1 && ./update_engine_unittests

Change-Id: I8d54709d4bda06b364b5420d196d75a4ecc011d3
---
 kernel.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kernel.te b/kernel.te
index 20b0c0a30..05aaf831a 100644
--- a/kernel.te
+++ b/kernel.te
@@ -63,6 +63,12 @@ allow kernel vold:fd use;
 allow kernel app_data_file:file read;
 allow kernel asec_image_file:file read;
 
+# Allow reading loop device in update_engine_unittests. (b/28319454)
+userdebug_or_eng(`
+  allow kernel update_engine_data_file:file read;
+  allow kernel nativetest_data_file:file read;
+')
+
 domain_auto_trans(kernel, init_exec, init)
 
 ###
-- 
GitLab