From d615ef3477da23e7fca9c13b6d63915992e63d2d Mon Sep 17 00:00:00 2001
From: Geremy Condra <gcondra@google.com>
Date: Wed, 4 Sep 2013 16:07:37 -0700
Subject: [PATCH] Fix miscellaneous long-tail denials.

Change-Id: Ie0947f79c63f962220d3c9316c5d5d82f677821f
---
 installd.te | 3 ++-
 zygote.te   | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/installd.te b/installd.te
index 3c43b05ec..fae130a72 100644
--- a/installd.te
+++ b/installd.te
@@ -11,11 +11,12 @@ allow installd system_data_file:lnk_file create;
 allow installd dalvikcache_data_file:file create_file_perms;
 allow installd data_file_type:dir create_dir_perms;
 allow installd data_file_type:dir { relabelfrom relabelto };
-allow installd data_file_type:{ file lnk_file } { getattr unlink };
+allow installd data_file_type:{ file lnk_file sock_file } { getattr unlink };
 allow installd apk_data_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
+allow installd download_file:dir { read getattr };
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
diff --git a/zygote.te b/zygote.te
index 87f72bfbe..5b6162fe0 100644
--- a/zygote.te
+++ b/zygote.te
@@ -5,7 +5,7 @@ type zygote_exec, exec_type, file_type;
 init_daemon_domain(zygote)
 typeattribute zygote mlstrustedsubject;
 # Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid };
+allow zygote self:capability { dac_override setgid setuid fowner };
 # Drop capabilities from bounding set.
 allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.
-- 
GitLab