Reload policy after setting up the data partition.
This forces a policy reload + fixcon to deal with dynamically
delivered policy changing labels on device nodes.
It's implemented as a new keyword in init.
Bug: 8702843
Change-Id: I803cf1ecf6ff8318ce25dcc5cda4f292adc9738c
diff --git a/init/builtins.c b/init/builtins.c
index 0f9f131..275a1af 100644
--- a/init/builtins.c
+++ b/init/builtins.c
@@ -515,6 +515,12 @@
return ret;
}
+int do_selinux_reload(int nargs, char **args) {
+ if (is_selinux_enabled() <= 0)
+ return 0;
+ return selinux_reload_policy();
+}
+
int do_setcon(int nargs, char **args) {
if (is_selinux_enabled() <= 0)
return 0;
diff --git a/init/init_parser.c b/init/init_parser.c
index 686640e..5182a29 100644
--- a/init/init_parser.c
+++ b/init/init_parser.c
@@ -138,6 +138,7 @@
break;
case 's':
if (!strcmp(s, "eclabel")) return K_seclabel;
+ if (!strcmp(s, "elinux_reload_policy")) return K_selinux_reload_policy;
if (!strcmp(s, "ervice")) return K_service;
if (!strcmp(s, "etcon")) return K_setcon;
if (!strcmp(s, "etenforce")) return K_setenforce;
diff --git a/init/keywords.h b/init/keywords.h
index f188db5..55d6af3 100644
--- a/init/keywords.h
+++ b/init/keywords.h
@@ -18,6 +18,7 @@
int do_restorecon(int nargs, char **args);
int do_rm(int nargs, char **args);
int do_rmdir(int nargs, char **args);
+int do_selinux_reload(int nargs, char **args);
int do_setcon(int nargs, char **args);
int do_setenforce(int nargs, char **args);
int do_setkey(int nargs, char **args);
@@ -71,6 +72,7 @@
KEYWORD(rm, COMMAND, 1, do_rm)
KEYWORD(rmdir, COMMAND, 1, do_rmdir)
KEYWORD(seclabel, OPTION, 0, 0)
+ KEYWORD(selinux_reload_policy, COMMAND, 0, do_selinux_reload)
KEYWORD(service, SECTION, 0, 0)
KEYWORD(setcon, COMMAND, 1, do_setcon)
KEYWORD(setenforce, COMMAND, 1, do_setenforce)
diff --git a/init/property_service.c b/init/property_service.c
index 3248399..62b6c3d 100755
--- a/init/property_service.c
+++ b/init/property_service.c
@@ -384,9 +384,6 @@
* to prevent them from being overwritten by default values.
*/
write_persistent_property(name, value);
- } else if (strcmp("selinux.reload_policy", name) == 0 &&
- strcmp("1", value) == 0) {
- selinux_reload_policy();
}
property_changed(name, value);
return 0;
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 854af44..4b4408f 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -177,6 +177,9 @@
mkdir /cache/lost+found 0770 root root
on post-fs-data
+ # reload SELinux based on what we find on the data partition
+ selinux_reload_policy
+
# We chown/chmod /data again so because mount is run as root + defaults
chown system system /data
chmod 0771 /data
@@ -410,6 +413,7 @@
seclabel u:r:ueventd:s0
on property:selinux.reload_policy=1
+ selinux_reload_policy
restart ueventd
restart installd
