From 115aafa7ab540a93f90ec11b796f5eaf06a47ba1 Mon Sep 17 00:00:00 2001
From: David Anderson <dvander@google.com>
Date: Tue, 21 May 2019 16:22:21 -0700
Subject: [PATCH] Fix selinux denials when applying updates in recovery.

These lines are copied from update_engine.te, and are needed to update
dynamic partitions in recovery.

Bug: 132943965
Test: sideload OTA on cuttlefish
Change-Id: Id03a658aac69b8d20fa7bb758530a4469c75cf9c
Merged-In: Id03a658aac69b8d20fa7bb758530a4469c75cf9c
---
 prebuilts/api/29.0/public/recovery.te | 4 ++++
 public/recovery.te                    | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/prebuilts/api/29.0/public/recovery.te b/prebuilts/api/29.0/public/recovery.te
index 12eadee83..d5d16a29a 100644
--- a/prebuilts/api/29.0/public/recovery.te
+++ b/prebuilts/api/29.0/public/recovery.te
@@ -138,6 +138,10 @@ recovery_only(`
   # This line seems suspect, as it should not really need to
   # set scheduling parameters for a kernel domain task.
   allow recovery kernel:process setsched;
+
+  # These are needed to update dynamic partitions in recovery.
+  r_dir_file(recovery, sysfs_dm)
+  allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
 ')
 
 ###
diff --git a/public/recovery.te b/public/recovery.te
index 12eadee83..d5d16a29a 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -138,6 +138,10 @@ recovery_only(`
   # This line seems suspect, as it should not really need to
   # set scheduling parameters for a kernel domain task.
   allow recovery kernel:process setsched;
+
+  # These are needed to update dynamic partitions in recovery.
+  r_dir_file(recovery, sysfs_dm)
+  allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
 ')
 
 ###