DO NOT MERGE: Adding permissions needed to remove cache
During removing cache data using Zipper application, I found violation logs.
avc: denied { write } for pid=198 comm="installd" name="cache" dev="mmcblk0p29" ino=81680 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir
avc: denied { remove_name } for pid=198 comm="installd" name="downloadfile.apk" dev="mmcblk0p29" ino=82247 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir
avc: denied { unlink } for pid=198 comm="installd" name="downloadfile.apk" dev="mmcblk0p29" ino=82247 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=file
Reproduction path is like below
1. Downloading Zipper application from Google Play (I used Zipper 1.9.9.2)
2. Clicking option and clicking "removing cache" button
3. Select "yes"
4. Violation show up
(cherry picked from commit 9cc6d8d581b6094b36c59a0e95d674cb193916e8)
Bug: 13450421
Change-Id: I487ccd1d8d58bf2c590af39a7b1eb448c113670e
diff --git a/installd.te b/installd.te
index 85ba69f..7c72158 100644
--- a/installd.te
+++ b/installd.te
@@ -16,8 +16,8 @@
allow installd apk_tmp_file:file r_file_perms;
allow installd system_file:file x_file_perms;
allow installd cgroup:dir create_dir_perms;
-allow installd download_file:dir { r_dir_perms };
-allow installd download_file:file { r_file_perms };
+allow installd download_file:dir { r_dir_perms write remove_name };
+allow installd download_file:file { r_file_perms unlink };
dontaudit installd self:capability sys_admin;
# Check validity of SELinux context before use.
selinux_check_context(installd)
