sepolicy: explicitly label all sepolicy files

am: 136caa1b Change-Id: I35ffe4d2cd233582c9dc73f1c20602c1a1c953eb

sepolicy: explicitly label all sepolicy files
7dcab748 · Sandeep Patil · android-build-merger · 2515e1b1 · 136caa1b · 7dcab748
Commit 7dcab748 authored 8 years ago by Sandeep Patil Committed by android-build-merger 8 years ago
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -41,15 +41,15 @@
 /file_contexts\.bin     u:object_r:file_contexts_file:s0
 /nonplat_file_contexts  u:object_r:file_contexts_file:s0
 /plat_file_contexts     u:object_r:file_contexts_file:s0
-/mapping_sepolicy\.cil   u:object_r:rootfs:s0
-/nonplat_sepolicy\.cil   u:object_r:rootfs:s0
-/plat_sepolicy\.cil      u:object_r:rootfs:s0
+/mapping_sepolicy\.cil   u:object_r:sepolicy_file:s0
+/nonplat_sepolicy\.cil   u:object_r:sepolicy_file:s0
+/plat_sepolicy\.cil      u:object_r:sepolicy_file:s0
 /plat_property_contexts  u:object_r:property_contexts_file:s0
 /nonplat_property_contexts  u:object_r:property_contexts_file:s0
 /seapp_contexts     u:object_r:seapp_contexts_file:s0
 /nonplat_seapp_contexts     u:object_r:seapp_contexts_file:s0
 /plat_seapp_contexts     u:object_r:seapp_contexts_file:s0
-/sepolicy           u:object_r:rootfs:s0
+/sepolicy           u:object_r:sepolicy_file:s0
 /plat_service_contexts   u:object_r:service_contexts_file:s0
 /nonplat_service_contexts   u:object_r:service_contexts_file:s0

@@ -253,15 +253,21 @@
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy.cil       u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0

 #############################
 # Vendor files
 #
 /vendor(/.*)?		u:object_r:system_file:s0
+/vendor/etc/selinux/mapping_sepolicy.cil       u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
 /vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0
 /vendor/etc/selinux/nonplat_file_contexts   u:object_r:file_contexts_file:s0
 /vendor/etc/selinux/nonplat_seapp_contexts    u:object_r:seapp_contexts_file:s0
+/vendor/etc/selinux/nonplat_sepolicy.cil       u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy        u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0

 #############################
 # OEM and ODM files

--- a/public/file.te
+++ b/public/file.te
@@ -265,6 +265,9 @@ type property_contexts_file, file_type;
 # seapp_contexts file
 type seapp_contexts_file, file_type;

+# sepolicy files binary and others
+type sepolicy_file, file_type;
+
 # service_contexts file
 type service_contexts_file, file_type;


--- a/public/init.te
+++ b/public/init.te
@@ -302,6 +302,9 @@ allow init self:process { setexec setfscreate setsockcreate };
 # Get file context
 allow init file_contexts_file:file r_file_perms;

+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
 # Perform SELinux access checks on setting properties.
 selinux_check_access(init)