selinux: Allow recovery to do recursive deletes
Our partial wipes (preserving media) require that recovery can
rmdir dirs and getattr files
Change-Id: I206f74131f9a37c5887ef30062adeabb58beaa3a
diff --git a/sepolicy/file.te b/sepolicy/file.te
index a9c992f..499ab3f 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,7 +1,7 @@
# Support asec containers getting mounted
allow file_type rootfs:filesystem associate;
-type auditd_log, file_type;
+type auditd_log, file_type, data_file_type;
# Themes
type theme_data_file, file_type, data_file_type;
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
index 6110f9a..87d2412 100644
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@@ -24,4 +24,11 @@
# Control properties
allow recovery recovery_prop:property_service set;
+# recursive rm for wipes... :(
+allow recovery file_type:dir { rw_dir_perms rmdir };
+allow recovery file_type:notdevfile_class_set { unlink getattr };
+# wipe saves and restores the layout version
+allow recovery install_data_file:file create_file_perms;
+allow recovery system_data_file:file create;
+
')