From 48ffa6fe1f5a7bdb41b616ef92cfaf99ef8d4c07 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 7 Jul 2014 13:55:28 -0700
Subject: [PATCH] fix build.

  libsepol.check_assertion_helper: neverallow on line 166 of external/sepolicy/domain.te (or line 5056 of policy.conf) violated by allow recovery unlabeled:file { create };
  Error while expanding policy
  make: *** [out/target/product/generic/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery] Error 1

(cherry picked from commit 3508d611cc661730bdf0e706d2f1fd1814cd8c60)

Change-Id: I5efa1f2040fc40df1df44ed1b8e84b6080cb8f74
---
 domain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 9f5ea9b6f..bd8ff25a9 100644
--- a/domain.te
+++ b/domain.te
@@ -163,7 +163,7 @@ allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 ###
 
 # Do not allow any confined domain to create new unlabeled files.
-neverallow { domain -unconfineddomain } unlabeled:dir_file_class_set create;
+neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set create;
 
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
-- 
GitLab