sepolicy: Fix a few denials when using backup service

Change-Id: Ia5c307a126d42f1dd5952f809f8b4ca1c686a33c

1 files changed, 9 insertions, 1 deletions

diff --git a/system.te b/system.te
index 432ae36..18e0a7b 100644
--- a/system.te
+++ b/system.te
@@ -13,10 +13,18 @@ type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system self:zygote { specifyids specifyrlimits specifyseinfo };
 
 allow system backup_data_file:dir relabelto;
-allow system cache_backup_file:dir relabelto;
 allow system apk_data_file:file relabelto;
 allow system apk_tmp_file:file relabelto;
 allow system apk_private_tmp_file:file relabelto;
 
 # Access to wake locks
 allow system sysfs_wake_lock:file rw_file_perms;
+
+# BackupManagerService lets PMS create a data backup file
+allow system cache_backup_file:file create_file_perms;
+# Relabel /data/backup
+allow system backup_data_file:dir { relabelto relabelfrom };
+# Relabel /cache/.*\.{data|restore}
+allow system cache_backup_file:file { relabelto relabelfrom };
+# LocalTransport creates and relabels /cache/backup
+allow system cache_backup_file:dir { relabelto relabelfrom create_dir_perms };