init.rc: restorecon /data/media before chattr

The SELinux type of /data/media has changed from media_rw_data_file to media_userdir_file, but the recursive restorecon of /data happens too late when taking an upgrade. Add a restorecon of /data/media to just above the chattr command which needs the new label to be allowed. This doesn't "really" matter, since the chattr command is only needed just after the directory was created anyway, but this fixes a SELinux denial. Bug: 156305599 Bug: 232824121 Change-Id: I897be19ceb4686511469bdf7efda2483f298eee4
2022-05-17 02:26:16 +00:00 · 2022-05-17 02:26:16 +00:00 · dce8ba253e
commit dce8ba253e
parent 9fcf000264
1 changed files with 5 additions and 1 deletions
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@ -922,7 +922,6 @@ on post-fs-data
    # contain any subdirectories other than the per-user ones.  /data/media/obb
    # is an exception that exists for legacy reasons.
    mkdir /data/media 0770 media_rw media_rw encryption=None
-    exec - media_rw media_rw -- /system/bin/chattr +F /data/media
    mkdir /data/misc_ce 01771 system misc encryption=None
    mkdir /data/misc_de 01771 system misc encryption=None
    mkdir /data/system_ce 0770 system system encryption=None
@ -932,6 +931,11 @@ on post-fs-data
    mkdir /data/vendor_ce 0771 root root encryption=None
    mkdir /data/vendor_de 0771 root root encryption=None

+    # Set the casefold flag on /data/media.  For upgrades, a restorecon can be
+    # needed first to relabel the directory from media_rw_data_file.
+    restorecon /data/media
+    exec - media_rw media_rw -- /system/bin/chattr +F /data/media
+
    # A tmpfs directory, which will contain all apps CE DE data directory that
    # bind mount from the original source.
    mount tmpfs tmpfs /data_mirror nodev noexec nosuid mode=0700,uid=0,gid=1000