Introduce a separate wallpaper_file type for the wallpaper file.

app.te

@@ -96,6 +96,9 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
 
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { read write };
+
 # Use the Binder.
 binder_use(appdomain)
 # Perform binder IPC to binder services.

file.te

@@ -52,6 +52,8 @@ type app_data_file, file_type, data_file_type;
 type cache_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
+# Type for wallpaper file.
+type wallpaper_file, file_type;
 
 # Socket types
 type bluetooth_socket, file_type;

file_contexts

@@ -118,6 +118,8 @@
 /data/misc/wifi(/.*)?		u:object_r:wifi_data_file:s0
 # App sandboxes
 /data/data/.*		u:object_r:app_data_file:s0
+# Wallpaper file.
+/data/data/com.android.settings/files/wallpaper	u:object_r:wallpaper_file:s0
 #############################
 # efs files
 #

system.te

@@ -15,6 +15,9 @@ binder_transfer(system_app, appdomain)
 allow system_app system_data_file:dir create_dir_perms;
 allow system_app system_data_file:file create_file_perms;
 
+# Read wallpaper file.
+allow system_app wallpaper_file:file r_file_perms;
+
 # Write to dalvikcache.
 allow system_app dalvikcache_data_file:file { write setattr };
 
@@ -137,6 +140,11 @@ allow system rootfs:file r_file_perms;
 allow system apk_tmp_file:file { relabelfrom relabelto };
 allow system apk_data_file:file { relabelfrom relabelto };
 
+# Relabel wallpaper.
+allow system system_data_file:file relabelfrom;
+allow system wallpaper_file:file relabelto;
+allow system wallpaper_file:file r_file_perms;
+
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system system_wpa_socket:sock_file create_file_perms;