Allow sepolicies granting bootanim exec on /oem.

Iot would like to allow bootanim to load libraries from /oem but in order for device-specfic sepolicies to grant exec this global restriction needs to be relaxed. Bug: 37992717 Test: Tested with Iot sepolicies in effect and bootanim can exec. Change-Id: I6462bf510562eb3fb06304e50b68fba05d37b285

Allow sepolicies granting bootanim exec on /oem.
Iot would like to allow bootanim to load libraries from /oem but in order for device-specfic sepolicies to grant exec this global restriction needs to be relaxed. Bug: 37992717 Test: Tested with Iot sepolicies in effect and bootanim can exec. Change-Id: I6462bf510562eb3fb06304e50b68fba05d37b285
6a1e6a9c · Ed Coyne · David Pursell · 94e3dfc3 · 6a1e6a9c
Commit 6a1e6a9c authored 7 years ago by Ed Coyne Committed by David Pursell 7 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -366,6 +366,7 @@ neverallow {
 neverallow {
    domain
    -appdomain # for oemfs
+    -bootanim # for oemfs
    -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;
 # Files from cache should never be executed