From c457572bdf4d85090582eb18db34b279967080d0 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 30 Oct 2014 16:50:25 -0400
Subject: [PATCH] Allow init to restorecon /data directories on upgrades.

Resolves (permissive) denials on upgrades from 4.4.

Change-Id: Ia9eed4938a7235c23bb65de7ad65e6e7c325dfd7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/init.te b/init.te
index 47dcf6898..61ec44e34 100644
--- a/init.te
+++ b/init.te
@@ -80,7 +80,7 @@ allow init rootfs:file relabelfrom;
 # we just allow all file types except /system files here.
 allow init self:capability { chown fowner fsetid };
 allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:dir { write add_name remove_name rmdir };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:dir { write add_name remove_name rmdir relabelfrom };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:file { create getattr open read write setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
-- 
GitLab