From 8f6870534923b7bd383e0e7eec0ca1f6d76e5fa3 Mon Sep 17 00:00:00 2001
From: Tianjie Xu <xunchang@google.com>
Date: Fri, 23 Jun 2017 15:48:42 -0700
Subject: [PATCH] Allow update_engine to read postinstall_mnt_dir

The denial message:
update_engine: type=1400 audit(0.0:15213): avc: denied { getattr } for
path="/postinstall" dev="dm-0" ino=38 scontext=u:r:update_engine:s0
tcontext=u:object_r:postinstall_mnt_dir:s0 tclass=dir permissive=0

update_engine: type=1400 audit(0.0:15214): avc: denied { sys_rawio } for
capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0

auditd  : type=1400 audit(0.0:15213): avc: denied { getattr } for
comm="update_engine" path="/postinstall" dev="dm-0" ino=38
scontext=u:r:update_engine:s0 tcontext=u:object_r:postinstall_mnt_dir:s0
tclass=dir permissive=0

update_engine: [0428/070905:ERROR:utils.cc(716)] Error stat'ing /postinstall: Permission denied

Bug: 37760573
Test: apply an update and UE reads postinstall_mnt_dir without denial.
Change-Id: I55506f5e8544233f60ccf7c1df846c9c93946a25
---
 public/update_engine_common.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 775bb1eda..e9bf24fd2 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -19,7 +19,7 @@ allow update_engine_common rootfs:file r_file_perms;
 
 # Allow update_engine_common to mount on the /postinstall directory and reset the
 # labels on the mounted filesystem to postinstall_file.
-allow update_engine_common postinstall_mnt_dir:dir mounton;
+allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
 allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
 allow update_engine_common labeledfs:filesystem relabelfrom;
 
-- 
GitLab