Merge "Revert "Remove "exec_type" from postinstall_file.""

am: 2f72269

* commit '2f722694c40ad69058053b57f1204bbc1bd7064e':
  Revert "Remove "exec_type" from postinstall_file."

Change-Id: I6e87149712aeb9600a3a569f07ed3b18b76fa84e

file.te

@@ -117,7 +117,7 @@ type storage_stub_file, file_type;
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type;
+type postinstall_file, file_type, exec_type;
 
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type;

update_engine.te

@@ -36,13 +36,19 @@ allow update_engine postinstall_mnt_dir:dir mounton;
 allow update_engine postinstall_file:filesystem { mount unmount relabelfrom relabelto };
 allow update_engine labeledfs:filesystem relabelfrom;
 
-# Allow update_engine to read and execute postinstall_file, which is what the
-# postinstall program is relabeled to regardless of its attributes in the new
-# system. The postinstall program will run in the "postinstall" domain.
+# Allow update_engine to read and execute postinstall_file.
 allow update_engine postinstall_file:file rx_file_perms;
 allow update_engine postinstall_file:lnk_file r_file_perms;
 allow update_engine postinstall_file:dir r_dir_perms;
 
+# The postinstall program is run by update_engine and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
+domain_auto_trans(update_engine, postinstall_file, postinstall)
+
+# A postinstall program is typically a shell script (with a #!), so we allow
+# to execute those.
+allow update_engine shell_exec:file rx_file_perms;
+
 # Register the service to perform Binder IPC.
 binder_use(update_engine)
 allow update_engine update_engine_service:service_manager { add };