From adbabeebb2a931c6992ab80ef71e1e63afbd3e78 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 26 Nov 2014 11:46:06 -0800
Subject: [PATCH] Allow dex2oat to work on /oem APKs

Dex2oat needs the ability to read from already open file descriptors
in /oem so that apps from that location can be installed. Allow it.

Addresses the following denials:

  avc: denied { read } for comm="dex2oat" path="/oem/app/TabletInfo.apk" dev="mmcblk0p12" ino=20 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/AskMe_android_one.apk" dev="mmcblk0p12" ino=14 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerRegulatoryInfo.apk" dev="mmcblk0p12" ino=19 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerLauncherProvider.apk" dev="mmcblk0p12" ino=18 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/Amazon_Mobile_com.apk" dev="mmcblk0p12" ino=13 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerBookmarksProvider.apk" dev="mmcblk0p12" ino=17 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/Hike.apk" dev="mmcblk0p12" ino=15 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/MiLive_embedded_IndiaGames_version4.0_android1.apk" dev="mmcblk0p12" ino=16 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0

Bug: 18539205
Change-Id: I92bd91c66befc5a1060dd189324b2c046bba0258
---
 dex2oat.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dex2oat.te b/dex2oat.te
index 5fded3670..f7de25d65 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -12,3 +12,4 @@ allow dex2oat installd:fd use;
 # locked APKs.
 allow dex2oat asec_apk_file:file read;
 allow dex2oat unlabeled:file read;
+allow dex2oat oemfs:file read;
-- 
GitLab