From 5fad3d98deadde8900130fe8980032728ad75fd0 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 23 Oct 2014 12:12:58 -0700
Subject: [PATCH] recovery: allow changing unlabeled symbolic links

Currently, recovery is allowed write access to the following three
file labels:

* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)

system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.

The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.

The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.

Allow unlabeled symbolic link modifications.

(cherrypicked from commit 683ac49d9d2f7dafcc4204f737747117a5d72e4e)

Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c
---
 recovery.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recovery.te b/recovery.te
index 75a024c07..204c096a3 100644
--- a/recovery.te
+++ b/recovery.te
@@ -29,7 +29,7 @@ recovery_only(`
 
   # We may be asked to set an SELinux label for a type not known to the
   # currently loaded policy. Allow it.
-  allow recovery unlabeled:file { create_file_perms relabelfrom relabelto };
+  allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
 
   # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
-- 
GitLab