From 67d9932c6744885ee0ef3bab61bbae3b8f16de9b Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 21 Jan 2016 15:32:08 -0800
Subject: [PATCH] vold launched e2fsck must run in fsck domain

Bug: 22821100
Change-Id: I549abfd31f7286ad50be3adeadaf559816c0ee38
---
 vold.te | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/vold.te b/vold.te
index 841653168..e16ec73f2 100644
--- a/vold.te
+++ b/vold.te
@@ -81,8 +81,8 @@ allow vold sysfs:file rw_file_perms;
 
 allow vold kmsg_device:chr_file rw_file_perms;
 
-# Run fsck.
-allow vold fsck_exec:file rx_file_perms;
+# Run fsck in the fsck domain.
+allow vold fsck_exec:file { r_file_perms execute };
 
 # Log fsck results
 allow vold fscklogs:dir rw_dir_perms;
@@ -176,3 +176,5 @@ neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto get
 neverallow { domain -vold -init } vold_data_file:dir *;
 neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
 neverallow { domain -vold -init } restorecon_prop:property_service set;
+
+neverallow vold fsck_exec:file execute_no_trans;