selinux: Allow recovery to do recursive deletes

Our partial wipes (preserving media) require that recovery can rmdir dirs and getattr files Change-Id: I206f74131f9a37c5887ef30062adeabb58beaa3a
2015-01-03 04:23:08 +00:00 · 2015-01-03 04:23:08 +00:00 · c738cc26ca
parent 444ce4a6b1
commit c738cc26ca
2 changed files with 8 additions and 1 deletions
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@ -1,7 +1,7 @@
 # Support asec containers getting mounted
 allow file_type rootfs:filesystem associate;

-type auditd_log, file_type;
+type auditd_log, file_type, data_file_type;

 # Themes
 type theme_data_file, file_type, data_file_type;
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@ -24,4 +24,11 @@ allow recovery media_rw_data_file:file r_file_perms;
 # Control properties
 allow recovery recovery_prop:property_service set;

+# recursive rm for wipes... :(
+allow recovery file_type:dir { rw_dir_perms rmdir };
+allow recovery file_type:notdevfile_class_set { unlink getattr };
+# wipe saves and restores the layout version
+allow recovery install_data_file:file create_file_perms;
+allow recovery system_data_file:file create;
+
 ')