From e1695914d55d9ced3645fc532191970c9450e9e9 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 9 Jul 2014 12:39:21 -0700
Subject: [PATCH] restorecon_recursive /cache

Make sure all files / directories within /cache are properly
labeled, not just the directory itself.

Addresses the following denial:

  type=1400 audit(0.0:26): avc: denied { getattr } for comm="Thread-85" path="/cache/lost+found" dev="mmcblk0p27" ino=11 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir

Change-Id: I5937b30043efeb696ffaa77258b7294d20d1494e
---
 rootdir/init.rc | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index a983f292d..e2bc5b352 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -189,13 +189,11 @@ on post-fs
     chown system cache /cache
     chmod 0770 /cache
     # We restorecon /cache in case the cache partition has been reset.
-    restorecon /cache
+    restorecon_recursive /cache
 
     # This may have been created by the recovery system with odd permissions
     chown system cache /cache/recovery
     chmod 0770 /cache/recovery
-    # This may have been created by the recovery system with the wrong context.
-    restorecon /cache/recovery
 
     #change permissions on vmallocinfo so we can grab it from bugreports
     chown root log /proc/vmallocinfo