Explicitly call restorecon_recursive on /metadata/apex On some devices we see a weird in which /metadata/apex will have a wrong selinux label. This will effectively prevent such devices from getting any apex updates. Since we haven't figured out a root cause for this bug, it's safer to explicitly call restorecon on /metadata/apex to make sure it's correct. This change shouldn't affect a normal boot flow, since /metadata/apex will already have a correct label and restorecon_recursive will be a no-op. Test: rm -Rf /metadata/apex && \ mkdir /metadata/apex && mkdir /metadata/apex/sessions Bug: 149317789 Change-Id: I971ffe35c93bb79d9e71106c24515ec0ee70333a

commit: 51cadcc81e24f462afb9bd1dc874bec121345abd [log] [tgz]
author: Nikita Ioffe <ioffe@google.com> Mon Jun 22 17:47:23 2020 +0100
committer: Nikita Ioffe <ioffe@google.com> Mon Jun 22 16:56:38 2020 +0000
tree: f5fcdd32664b62c809c8cc357f2ac7cf5c11b60c
parent: 14c5b99e406692c14c15305c1dba08e390d88b76 [diff]
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 73ac7fd..e7ba1f3 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -517,6 +517,12 @@
 
     mkdir /metadata/apex 0700 root system
     mkdir /metadata/apex/sessions 0700 root system
+    # On some devices we see a weird behaviour in which /metadata/apex doesn't
+    # have a correct label. To workaround this bug, explicitly call restorecon
+    # on /metadata/apex. For most of the boot sequences /metadata/apex will
+    # already have a correct selinux label, meaning that this call will be a
+    # no-op.
+    restorecon_recursive /metadata/apex
 
     mkdir /metadata/staged-install 0770 root system
 on late-fs
commit	51cadcc81e24f462afb9bd1dc874bec121345abd	[log] [tgz]
author	Nikita Ioffe <ioffe@google.com>	Mon Jun 22 17:47:23 2020 +0100
committer	Nikita Ioffe <ioffe@google.com>	Mon Jun 22 16:56:38 2020 +0000
tree	f5fcdd32664b62c809c8cc357f2ac7cf5c11b60c
parent	14c5b99e406692c14c15305c1dba08e390d88b76 [diff]