From 4203981e8b0c741057268b6a633fe9e84b31ebd6 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 31 May 2014 08:07:39 -0700
Subject: [PATCH] recovery: enable permissive_or_unconfined

Switch from using unconfined_domain() to permissive_or_unconfined().
For user builds, or builds with FORCE_PERMISSIVE_TO_UNCONFINED=true,
this is a no-op. For userdebug / eng builds, this will allow us to
collect denials from /proc/last_kmsg.

Change-Id: I41e1a206b2a3b0eee34539bfebfc5deee9e18a42
---
 recovery.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recovery.te b/recovery.te
index 41038c811..3efae4ec6 100644
--- a/recovery.te
+++ b/recovery.te
@@ -8,7 +8,7 @@ type recovery, domain;
 # Otherwise recovery is only allowed the domain rules.
 recovery_only(`
   allow recovery rootfs:file entrypoint;
-  unconfined_domain(recovery)
+  permissive_or_unconfined(recovery)
 
   # Set security contexts on files that are not known to the loaded policy.
   allow recovery self:capability2 mac_admin;
-- 
GitLab