Allow update_engine to write BCB.
update_engine can trigger a factory-reset when the update to an older
version or an incompatible version requires it.
Bug: 28700985
TEST=Updated a device with a factory-reset required and the BCB was
written.
(cherry picked from commit 15105ce77713315372e4223d55bc38fda74f9c97)
Change-Id: I7d2efc0e7f164d618cbb3fe190882e4fa8a89bac
diff --git a/update_engine.te b/update_engine.te
index c578692..5542b48 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -28,6 +28,11 @@
allow update_engine boot_block_device:blk_file rw_file_perms;
allow update_engine system_block_device:blk_file rw_file_perms;
+# Allow to set recovery options in the BCB. Used to trigger factory reset when
+# the update to an older version (channel change) or incompatible version
+# requires it.
+allow update_engine misc_block_device:blk_file rw_file_perms;
+
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
