From 543faccc62dd9a31fa12a641678de61a44ba7b70 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 27 Feb 2015 14:54:40 -0800
Subject: [PATCH] allow init tmpfs:dir relabelfrom

When encrypting a device, or when an encrypted device boots,
a tmpfs is mounted in place of /data, so that a pseudo filesystem
exists to start system_server and related components. SELinux labels
need to be applied to that tmpfs /data so the system boots
properly.

Allow init to relabel a tmpfs /data.

Addresses the following denial:

[    6.294896] type=1400 audit(29413651.850:4): avc:  denied  { relabelfrom } for  pid=1 comm="init" name="/" dev="tmpfs" ino=6360 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir

Steps to reproduce:
  1) Go into Settings > Security > Encrypt Phone
  2) Encrypt phone
  3) See denial
  4) reboot phone
  5) See denial on boot

Bug: 19050686
Change-Id: Ie57864fe1079d9164d5cfea44683a97498598e41
---
 init.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/init.te b/init.te
index 14e9f8065..03a54b4c7 100644
--- a/init.te
+++ b/init.te
@@ -46,6 +46,9 @@ allow init tmpfs:dir mounton;
 allow init cgroup:dir create_dir_perms;
 allow init cpuctl_device:dir { create mounton };
 
+# Use tmpfs as /data, used for booting when /data is encrypted
+allow init tmpfs:dir relabelfrom;
+
 # Create directories under /dev/cpuctl after chowning it to system.
 allow init self:capability dac_override;
 
-- 
GitLab