diff --git a/private/adbd.te b/private/adbd.te
index 80c6a016ffe6c69201fec02ca203e41c3bead7ba..2b80281d71fe5d9405147ae2cbe226719cf36983 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -101,6 +101,7 @@ allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/file_contexts b/private/file_contexts
index 90df77cc8d981903eff50577bfe11ce70c8c7feb..08deeafe5c92211aa05db6f20423dc0ff76d3876 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -38,9 +38,9 @@
/sdcard u:object_r:rootfs:s0
# SELinux policy files
-/file_contexts\.bin u:object_r:rootfs:s0
-/nonplat_file_contexts u:object_r:rootfs:s0
-/plat_file_contexts u:object_r:rootfs:s0
+/file_contexts\.bin u:object_r:file_contexts_file:s0
+/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/plat_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:rootfs:s0
/nonplat_sepolicy\.cil u:object_r:rootfs:s0
/plat_sepolicy\.cil u:object_r:rootfs:s0
@@ -251,6 +251,7 @@
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
#############################
# Vendor files
@@ -258,6 +259,7 @@
/vendor(/.*)? u:object_r:system_file:s0
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
#############################
# OEM and ODM files
diff --git a/private/system_server.te b/private/system_server.te
index 5aae022bdf8e59ca0e91eb531305ec25caafb11d..698ae8ead970f0adfb745da6d09879df5a7d5284 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -230,6 +230,8 @@ allow system_server mediaserver:udp_socket rw_socket_perms;
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
# Check SELinux permissions.
selinux_check_access(system_server)
diff --git a/public/file.te b/public/file.te
index 72af4855cd813256c3261558635cf3cf0db8c7ba..385c88b68c569912e45ee70b8e8cf136b9b7d265 100644
--- a/public/file.te
+++ b/public/file.te
@@ -256,6 +256,9 @@ type sap_uim_socket, file_type;
# UART (for GPS) control proc file
type gps_control, file_type;
+# file_contexts files
+type file_contexts_file, file_type;
+
# property_contexts file
type property_contexts_file, file_type;
diff --git a/public/init.te b/public/init.te
index 4b080464b99e86e29b986f0ed1e50891cc0f9df9..4aa1349e1a4ace1659909ccd1bdad554b1022459 100644
--- a/public/init.te
+++ b/public/init.te
@@ -299,6 +299,9 @@ r_dir_file(init, domain)
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
# Perform SELinux access checks on setting properties.
selinux_check_access(init)
diff --git a/public/installd.te b/public/installd.te
index 0a5b8a380e9a4ab1e9e79012f1d7bbf59f106b95..474ba9c35de94560ebc8ef1e26111e2130dd5ed8 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -27,6 +27,8 @@ selinux_check_context(installd)
r_dir_file(installd, rootfs)
# Scan through APKs in /system/app and /system/priv-app
r_dir_file(installd, system_file)
+# Get file context
+allow installd file_contexts_file:file r_file_perms;
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
diff --git a/public/kernel.te b/public/kernel.te
index a93c8e908b32433e6869fa1d2a1f30bad1c06de4..9537c0dfaf4f8c4feec5ec47f24e62a28fba12a6 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -11,6 +11,9 @@ r_dir_file(kernel, proc)
allow kernel selinuxfs:dir r_dir_perms;
allow kernel selinuxfs:file r_file_perms;
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
# Allow init relabel itself.
allow kernel rootfs:file relabelfrom;
allow kernel init_exec:file relabelto;
diff --git a/public/recovery.te b/public/recovery.te
index 1ec19c5ada5299a37cb4289f3746d3efd74b8795..d6aef1c58b0cadd48b7a208b7f644a0eb1f195ea 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -37,6 +37,8 @@ recovery_only(`
# currently loaded policy. Allow it.
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+ # Get file contexts
+ allow recovery file_contexts_file:file r_file_perms;
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
# support to OTAs. However, that code has a bug. When an update occurs,
diff --git a/public/ueventd.te b/public/ueventd.te
index b0706c89508b09d1639adefda2f6e5a5995a0266..512b019d471a33241066b2d531ce003df393241c 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -29,6 +29,9 @@ allow ueventd efs_file:file r_file_perms;
# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
diff --git a/public/vold.te b/public/vold.te
index f4a391693f4e28aaa128d8f3500d241f9aeff26f..89e2c2471bc8da3ad1e0c69aa4d219877052c5df 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -19,6 +19,9 @@ allow vold sysfs_zram_uevent:file w_file_perms;
r_dir_file(vold, rootfs)
allow vold proc_meminfo:file r_file_perms;
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
+
# Allow us to jump into execution domains of above tools
allow vold self:process setexec;