From d2d1a7ffb1f5e831ed654379496f0efe88159a66 Mon Sep 17 00:00:00 2001
From: Ricardo Cerqueira <cyanogenmod@cerqueira.org>
Date: Wed, 17 Jul 2013 16:45:20 +0100
Subject: [PATCH] Add SELinux filesystem relabeling to init

Since not all recoveries out there will support the OTA packages'
own labeling, check at boot if the system needs labels (and
apply them)

Change-Id: I58767977b90a78a12efe7bd9d713654eadf47e7a
---
 config/common.mk                            |  4 ++
 prebuilt/common/etc/init.d/50selinuxrelabel | 46 +++++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 prebuilt/common/etc/init.d/50selinuxrelabel

diff --git a/config/common.mk b/config/common.mk
index 96e6ce59..56d53b73 100644
--- a/config/common.mk
+++ b/config/common.mk
@@ -95,6 +95,10 @@ PRODUCT_COPY_FILES += \
 PRODUCT_COPY_FILES += \
     vendor/cm/prebuilt/common/etc/init.d/90userinit:system/etc/init.d/90userinit
 
+# SELinux filesystem labels
+PRODUCT_COPY_FILES += \
+    vendor/cm/prebuilt/common/etc/init.d/50selinuxrelabel:system/etc/init.d/50selinuxrelabel
+
 # CM-specific init file
 PRODUCT_COPY_FILES += \
     vendor/cm/prebuilt/common/etc/init.local.rc:root/init.cm.rc
diff --git a/prebuilt/common/etc/init.d/50selinuxrelabel b/prebuilt/common/etc/init.d/50selinuxrelabel
new file mode 100644
index 00000000..4096fdcb
--- /dev/null
+++ b/prebuilt/common/etc/init.d/50selinuxrelabel
@@ -0,0 +1,46 @@
+#!/system/bin/sh
+
+L="log -p i -t SELinuxLabel"
+
+# Bail out early if not on a SELinux build
+getprop ro.build.selinux | grep -q 1 || exit
+if [ ! -f /file_contexts ]; then
+  exit
+fi
+
+LABELDATA=0
+LABELSYS=0
+
+# Test /data
+ls -Zd /data/anr | grep -q unlabeled
+if [ $? -eq 0 ]; then
+  $L "userdata is unlabeled, fixing..."
+  LABELDATA=1
+fi
+
+ls -Z /system/bin/surfaceflinger | grep -q unlabeled
+if [ $? -eq 0 ]; then
+  $L "system is unlabeled, fixing... (You really should update your recovery)"
+  LABELSYS=1
+fi
+
+ls -Z /system/app/GoogleServicesFramework.apk | grep -q unlabeled
+if [ $LABELSYS = "0" -a $? -eq 0 ]; then
+  $L "Found unlabeled Google framework, fixing..."
+  LABELSYS=1
+fi
+
+
+if [ $LABELSYS = "1" ]; then
+  busybox mount -o remount,rw /system
+  $L "/system relabel starting..."
+  restorecon -R /system
+  $L "/system relabel complete"
+  busybox mount -o remount,ro /system
+fi
+
+if [ $LABELDATA = "1" ]; then
+  $L "/data relabel starting..."
+  restorecon -R /data
+  $L "/data relabel complete"
+fi