From e9d97b744e95307020d461fd16f756323f25bba7 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 8 Jul 2014 10:52:05 -0700
Subject: [PATCH] recovery: allow read access to fuse filesystem

adb sideload depends on the ability to access the fuse
directory. Flipping recovery into enforcing started triggering
the following denial:

  type=1400 audit(17964905.699:7): avc:  denied  { search } for  pid=132 comm="recovery" name="/" dev="fuse" ino=1 scontext=u:r:recovery:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir

Change-Id: I27ee0295fa2e2d0449bfab4f95bfbc076e92cf59
---
 recovery.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recovery.te b/recovery.te
index 9c5900381..28c7f80ad 100644
--- a/recovery.te
+++ b/recovery.te
@@ -92,6 +92,7 @@ recovery_only(`
   # "sdcard_internal"; the simulated SD card is the only other user of
   # fuse.)
   allow recovery fuse_device:chr_file rw_file_perms;
+  allow recovery sdcard_internal:dir r_dir_perms;
   allow recovery sdcard_internal:file r_file_perms;
 
   wakelock_use(recovery)