From 8809341cb0f2eaf581f657195c3ac519743c3cac Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 23 Dec 2014 17:08:58 -0800
Subject: [PATCH] init: allow rootfs symlink removal

On the Nexus 9, init.rc creates the /vendor -> /system/vendor
symlink, then a bit later removes the symlink, creates a
proper directory, and mounts /vendor on the directory.

The current permissive SELinux policy doesn't allow init to
remove the /vendor symlink, which eventually causes the following
errors:

  avc:  denied  { unlink } for  pid=136 comm="init" name="vendor" dev="rootfs" ino=6454 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1
  fs_mgr: Failed to mount an un-encryptable or wiped partition on/dev/block/platform/sdhci-tegra.3/by-name/VNR at /vendor options: (null) error: Too many symbolic links encountered

There was an attempt to reorder some of these operations so
we didn't have to create / delete the symlink, but it
doesn't seem to have gone well.
https://android.googlesource.com/platform/system/core/+/f67d6bd3c0fb41d167c675b9d2b5d377b6f38a74

Change-Id: I4d01661d4228e44e18465fe16ce4a70fe2a83042
---
 init.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/init.te b/init.te
index b833da8c0..d78ca497a 100644
--- a/init.te
+++ b/init.te
@@ -34,8 +34,8 @@ allow init rootfs:dir mounton;
 # Mount on /dev/usb-ffs/adb.
 allow init device:dir mounton;
 
-# Create symlinks in /.
-allow init rootfs:lnk_file create;
+# Create and remove symlinks in /.
+allow init rootfs:lnk_file { create unlink };
 
 # Mount debugfs on /sys/kernel/debug.
 allow init sysfs:dir mounton;
-- 
GitLab