From c738cc26ca7d899e20b0ef68748da48893358c96 Mon Sep 17 00:00:00 2001
From: Ricardo Cerqueira <ricardo@cyngn.com>
Date: Sat, 3 Jan 2015 04:23:08 +0000
Subject: [PATCH] selinux: Allow recovery to do recursive deletes

Our partial wipes (preserving media) require that recovery can
rmdir dirs and getattr files

Change-Id: I206f74131f9a37c5887ef30062adeabb58beaa3a
---
 sepolicy/file.te     | 2 +-
 sepolicy/recovery.te | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/sepolicy/file.te b/sepolicy/file.te
index a9c992f7..499ab3f9 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,7 +1,7 @@
 # Support asec containers getting mounted
 allow file_type rootfs:filesystem associate;
 
-type auditd_log, file_type;
+type auditd_log, file_type, data_file_type;
 
 # Themes
 type theme_data_file, file_type, data_file_type;
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
index 6110f9a8..87d24120 100644
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@@ -24,4 +24,11 @@ allow recovery media_rw_data_file:file r_file_perms;
 # Control properties
 allow recovery recovery_prop:property_service set;
 
+# recursive rm for wipes... :(
+allow recovery file_type:dir { rw_dir_perms rmdir };
+allow recovery file_type:notdevfile_class_set { unlink getattr };
+# wipe saves and restores the layout version
+allow recovery install_data_file:file create_file_perms;
+allow recovery system_data_file:file create;
+
 ')