Allow system to create sdcard symlink [ 7.646044] audit: type=1400 audit(90335.236:4): avc: denied { create } for pid=1 comm="init" name="sdcard" scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0 [ 7.646062] init: Command 'symlink /storage/self/primary /mnt/sdcard' action=init (/init.rc:127) took 0ms and failed: symlink() failed: Permission denied Bug: 144399145 Test: Flash selinux modules, reboot, and find the symlink established Change-Id: Ia408c9bfaeff777a6ce908e5bad40d8c5021fcdf

commit: 1b7f71d7b65139cfaebbf6d35a953f597ac206db [log] [tgz]
author: Adam Shih <adamshih@google.com> Thu Nov 14 11:23:54 2019 +0800
committer: Adam Shih <adamshih@google.com> Thu Nov 14 15:53:52 2019 +0800
tree: 008435297e9299cbecb8df860d640584e4fd2c4b
parent: b315d093f39ba8031da9f22cebc31e338a9aa73a [diff]
diff --git a/vendor/google/init.te b/vendor/google/init.te
index 1eb87f6..76f6021 100644
--- a/vendor/google/init.te
+++ b/vendor/google/init.te

@@ -2,8 +2,8 @@
 allow init firmware_file:filesystem { getattr mount relabelfrom };
 allow init boot_block_device:lnk_file relabelto;
 allow init custom_ab_block_device:lnk_file relabelto;
+allow init tmpfs:lnk_file create;
 
 dontaudit init kernel:system module_request;
 dontaudit init socket_device:sock_file { create setattr };
 dontaudit init sysfs:file { open setattr write };
-dontaudit init tmpfs:lnk_file create;
commit	1b7f71d7b65139cfaebbf6d35a953f597ac206db	[log] [tgz]
author	Adam Shih <adamshih@google.com>	Thu Nov 14 11:23:54 2019 +0800
committer	Adam Shih <adamshih@google.com>	Thu Nov 14 15:53:52 2019 +0800
tree	008435297e9299cbecb8df860d640584e4fd2c4b
parent	b315d093f39ba8031da9f22cebc31e338a9aa73a [diff]