The install_recovery script creates a new recovery image based
off of the boot image plus a patch on /system. We need to allow
read access to the boot image to allow the patching to succeed,
otherwise OTAs are broken.
Addresses the following denial:
type=1400 audit(9109404.519:6): avc: denied { read } for pid=341 comm="applypatch" name="mmcblk0p37" dev="tmpfs" ino=9186 scontext=u:r:install_recovery:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
TODO: Add device specific labels for the boot image.
Bug: 19534538
Change-Id: Ic811ec03e235df3b1bfca9b0a65e23307cd968aa
The recovery partition has been assigned a recovery_block_device
type for the AOSP devices, so install_recovery should not need
rw access to the generic block_device type. Remove it.
Change-Id: I31621a8157998102859a6e9eb76d405caf6d5f0d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Define a specific block device type for system so that we can
prevent raw writes to the system partition by anything other than
recovery.
Define a specific block device type for recovery so that we
can prevent raw writes to the recovery partition by anything
other than install_recovery or recovery.
These types must be assigned to specific block device nodes
via device-specific policy. This change merely defines the types,
adds allow rules so that nothing will break when the types are assigned,
and adds neverallow rules to prevent adding further allow rules
on these types.
This change does not remove access to the generic block_device type
from any domain so nothing should break even on devices without these
type assignments.
Change-Id: Ie9c1f6d632f6e9e8cbba106f07f6b1979d2a3c4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Create a new domain for the one-shot init service flash_recovery.
This domain is initially in permissive_or_unconfined() for
testing. Any SELinux denials won't be enforced for now.
Change-Id: I7146dc154a5c78b6f3b4b6fb5d5855a05a30bfd8