Allow update_engine to suspend/resume postinstall. update_engine launches the postinstall process and can suspend and resume it by sending SIGSTOP and SIGCONT. This fixes the following denials: update_engine: type=1400 audit(0.0:88): avc: denied { sigstop } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=1 update_engine: type=1400 audit(0.0:89): avc: denied { signal } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=1 Bug: 28959137 TEST=`update_engine_client --suspend ; update_engine_client --resume` while the device is running postinstall. (cherry picked from commit 108b74a193c8c424ee4579bae7f2f0444840428e) Change-Id: Iec8e10fe0cfda5c0764d2e5ad90ea1c6dd13dab2

commit: 9640bcfa692e8c10bd2239cf7eaaa6bc46c1a123 [log] [tgz]
author: Alex Deymo <deymo@google.com> Tue Jun 21 16:52:52 2016 -0700
committer: Alex Deymo <deymo@google.com> Tue Jun 21 17:50:39 2016 -0700
tree: 6e356ec061f83747d5a8242f64a90cff73adac01
parent: 0989a53163a90f0202946752c6dd315b60040089 [diff]
diff --git a/update_engine.te b/update_engine.te
index 5542b48..9f94243 100644
--- a/update_engine.te
+++ b/update_engine.te

@@ -55,6 +55,9 @@
 # to execute those.
 allow update_engine shell_exec:file rx_file_perms;
 
+# Allow update_engine to suspend, resume and kill the postinstall program.
+allow update_engine postinstall:process { signal sigstop };
+
 # Register the service to perform Binder IPC.
 binder_use(update_engine)
 allow update_engine update_engine_service:service_manager { add };
commit	9640bcfa692e8c10bd2239cf7eaaa6bc46c1a123	[log] [tgz]
author	Alex Deymo <deymo@google.com>	Tue Jun 21 16:52:52 2016 -0700
committer	Alex Deymo <deymo@google.com>	Tue Jun 21 17:50:39 2016 -0700
tree	6e356ec061f83747d5a8242f64a90cff73adac01
parent	0989a53163a90f0202946752c6dd315b60040089 [diff]