allow init tmpfs:dir relabelfrom
When encrypting a device, or when an encrypted device boots,
a tmpfs is mounted in place of /data, so that a pseudo filesystem
exists to start system_server and related components. SELinux labels
need to be applied to that tmpfs /data so the system boots
properly.
Allow init to relabel a tmpfs /data.
Addresses the following denial:
[ 6.294896] type=1400 audit(29413651.850:4): avc: denied { relabelfrom } for pid=1 comm="init" name="/" dev="tmpfs" ino=6360 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
Steps to reproduce:
1) Go into Settings > Security > Encrypt Phone
2) Encrypt phone
3) See denial
4) reboot phone
5) See denial on boot
Bug: 19050686
Change-Id: Ie57864fe1079d9164d5cfea44683a97498598e41
This commit is contained in:
Nick Kralevich
parent
a4b8226457
commit
543faccc62
1 changed files with 3 additions and 0 deletions
3
init.te
3
init.te
|
|
@ -46,6 +46,9 @@ allow init tmpfs:dir mounton;
|
|||
allow init cgroup:dir create_dir_perms;
|
||||
allow init cpuctl_device:dir { create mounton };
|
||||
|
||||
# Use tmpfs as /data, used for booting when /data is encrypted
|
||||
allow init tmpfs:dir relabelfrom;
|
||||
|
||||
# Create directories under /dev/cpuctl after chowning it to system.
|
||||
allow init self:capability dac_override;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue