Allow update_engine to kill postinstall process.

This fixes the following denial in O: update_engine: type=1400 audit(0.0:2100): avc: denied { sigkill } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=0 Bug: 35111618 Test: update_engine_client --cancel during postinstall Change-Id: I7456a95b5ca6fbdb268a5e16a13e2409758141f5

Allow update_engine to kill postinstall process.
b74017d3 · Alex Deymo · 871e44c4 · b74017d3
Commit b74017d3 authored 8 years ago by Alex Deymo
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -30,7 +30,7 @@ allow update_engine_common postinstall_file:dir r_dir_perms;
 allow update_engine_common shell_exec:file rx_file_perms;

 # Allow update_engine_common to suspend, resume and kill the postinstall program.
-allow update_engine_common postinstall:process { signal sigstop };
+allow update_engine_common postinstall:process { signal sigstop sigkill };

 # access /proc/misc
 # Access is also granted to proc:file, but it is likely unneeded