From dce8ba253e137597ad32bf4b5543cd0af0b061ad Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 17 May 2022 02:26:16 +0000 Subject: [PATCH] init.rc: restorecon /data/media before chattr The SELinux type of /data/media has changed from media_rw_data_file to media_userdir_file, but the recursive restorecon of /data happens too late when taking an upgrade. Add a restorecon of /data/media to just above the chattr command which needs the new label to be allowed. This doesn't "really" matter, since the chattr command is only needed just after the directory was created anyway, but this fixes a SELinux denial. Bug: 156305599 Bug: 232824121 Change-Id: I897be19ceb4686511469bdf7efda2483f298eee4 --- rootdir/init.rc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rootdir/init.rc b/rootdir/init.rc index 2746314c7..70a3736cb 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -922,7 +922,6 @@ on post-fs-data # contain any subdirectories other than the per-user ones. /data/media/obb # is an exception that exists for legacy reasons. mkdir /data/media 0770 media_rw media_rw encryption=None - exec - media_rw media_rw -- /system/bin/chattr +F /data/media mkdir /data/misc_ce 01771 system misc encryption=None mkdir /data/misc_de 01771 system misc encryption=None mkdir /data/system_ce 0770 system system encryption=None @@ -932,6 +931,11 @@ on post-fs-data mkdir /data/vendor_ce 0771 root root encryption=None mkdir /data/vendor_de 0771 root root encryption=None + # Set the casefold flag on /data/media. For upgrades, a restorecon can be + # needed first to relabel the directory from media_rw_data_file. + restorecon /data/media + exec - media_rw media_rw -- /system/bin/chattr +F /data/media + # A tmpfs directory, which will contain all apps CE DE data directory that # bind mount from the original source. mount tmpfs tmpfs /data_mirror nodev noexec nosuid mode=0700,uid=0,gid=1000