installd: r_dir_file(installd, system_file)

am: 68f23364

Change-Id: I3dbbe8bc411dfb530e1363ad563db2dbdbfc1736

public/domain_deprecated.te

@@ -41,9 +41,35 @@ auditallow domain_deprecated device:file read;
 allow domain_deprecated system_file:dir r_dir_perms;
 allow domain_deprecated system_file:file r_file_perms;
 allow domain_deprecated system_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:dir { open read ioctl lock }; # search getattr in domain
-auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:file { ioctl lock }; # read open getattr in domain
-auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:lnk_file { getattr open ioctl lock }; # read in domain
+auditallow {
+  domain_deprecated
+  -appdomain
+  -init
+  -installd
+  -rild
+  -surfaceflinger
+  -system_server
+  -zygote
+} system_file:dir { open read ioctl lock }; # search getattr in domain
+auditallow {
+  domain_deprecated
+  -appdomain
+  -init
+  -rild
+  -surfaceflinger
+  -system_server
+  -zygote
+} system_file:file { ioctl lock }; # read open getattr in domain
+auditallow {
+  domain_deprecated
+  -appdomain
+  -init
+  -installd
+  -rild
+  -surfaceflinger
+  -system_server
+  -zygote
+} system_file:lnk_file { getattr open ioctl lock }; # read in domain
 
 # Read files already opened under /data.
 allow domain_deprecated system_data_file:file { getattr read };

public/installd.te

@@ -25,6 +25,8 @@ allow installd mnt_expand_file:dir { search getattr };
 selinux_check_context(installd)
 
 r_dir_file(installd, rootfs)
+# Scan through APKs in /system/app and /system/priv-app
+r_dir_file(installd, system_file)
 
 # Search /data/app-asec and stat files in it.
 allow installd asec_image_file:dir search;