Merge "New "selinux.restorecon" control property." into mnc-dev

86987a01 · Jeff Sharkey · Android (Google) Code Review · ba8821b0 · 7617cd48 · 86987a01
Commit 86987a01 authored 9 years ago by Jeff Sharkey Committed by Android (Google) Code Review 9 years ago
--- a/property.te
+++ b/property.te
@@ -21,6 +21,7 @@ type ctl_bugreport_prop, property_type;
 type ctl_console_prop, property_type;
 type audio_prop, property_type;
 type logd_prop, property_type;
+type restorecon_prop, property_type;
 type security_prop, property_type;
 type bluetooth_prop, property_type;
 type pan_result_prop, property_type;

--- a/property_contexts
+++ b/property_contexts
@@ -41,7 +41,8 @@ persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0
 # selinux non-persistent properties
-selinux.                u:object_r:security_prop:s0
+selinux.restorecon_recursive   u:object_r:restorecon_prop:s0
+selinux.                       u:object_r:security_prop:s0
 # default property context
 *                       u:object_r:default_prop:s0

--- a/vold.te
+++ b/vold.te
@@ -111,6 +111,7 @@ allow vold kernel:process setsched;
 set_prop(vold, vold_prop)
 set_prop(vold, powerctl_prop)
 set_prop(vold, ctl_fuse_prop)
+set_prop(vold, restorecon_prop)
 # ASEC
 allow vold asec_image_file:file create_file_perms;
@@ -159,3 +160,4 @@ neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setat
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;
 neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
+neverallow { domain -vold -init } restorecon_prop:property_service set;