Merge "New "selinux.restorecon" control property." into mnc-dev

3 files changed, 5 insertions, 1 deletions

diff --git a/property.te b/property.te
index 94ae714..e046f42 100644
--- a/property.te
+++ b/property.te
@@ -21,6 +21,7 @@ type ctl_bugreport_prop, property_type;
 type ctl_console_prop, property_type;
 type audio_prop, property_type;
 type logd_prop, property_type;
+type restorecon_prop, property_type;
 type security_prop, property_type;
 type bluetooth_prop, property_type;
 type pan_result_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 1844910..5bdb3c3 100644
--- a/property_contexts
+++ b/property_contexts
@@ -41,7 +41,8 @@ persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0
 
 # selinux non-persistent properties
-selinux.                u:object_r:security_prop:s0
+selinux.restorecon_recursive   u:object_r:restorecon_prop:s0
+selinux.                       u:object_r:security_prop:s0
 
 # default property context
 *                       u:object_r:default_prop:s0
diff --git a/vold.te b/vold.te
index 49815c8..af050c8 100644
--- a/vold.te
+++ b/vold.te
@@ -111,6 +111,7 @@ allow vold kernel:process setsched;
 set_prop(vold, vold_prop)
 set_prop(vold, powerctl_prop)
 set_prop(vold, ctl_fuse_prop)
+set_prop(vold, restorecon_prop)
 
 # ASEC
 allow vold asec_image_file:file create_file_perms;
@@ -159,3 +160,4 @@ neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setat
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;
 neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
+neverallow { domain -vold -init } restorecon_prop:property_service set;